Retina CS Users Guide

June 10, 2013
UserGuide
Release 4.5.1
Retina CS UserGuide
Revision/Update Information: June 10, 2013
Software Version: Retina CS 4.5.1
Revision Number: 1
COPYRIGHT NOTICE
Copyright 2013 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is
also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (BeyondTrust) or
BeyondTrusts authorized remarketer, if and when applicable.
TRADE SECRET NOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and
may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when
applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying,
modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly
provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A
PARTICULAR PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This
software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation
that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture,
duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to
limited rights and other restrictions, as set forth in the Rights in Technical Data Noncommercial Items clause at DFARS 252.2277013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Virtualization,
PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker
Identity Services are trademarks of BeyondTrust.
Retina, Retina CS, Iris, Blink, Retina Web, and REM are registered trademarks of BeyondTrust. SecureIIS and Enterprise Update
Server are trademarks of BeyondTrust.
Windows is a registered trademark of Microsoft Corporation
FICTITIOUS USE OF NAMES
All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely
coincidental.
BeyondTrust
June 10, 2013
Retina CS UserGuide
Contents
Contents
I. Retina CS Management Console
Retina CS Overview
Retina CS Architectural Overview
Retina CS Components
Retina Network Security Scanner (RNSS agent)
Retina Protection Agent (RP agent)
eEye Manager Service
AppBus (Application Bus)
Events Client
Central Policy Server
Enterprise Update Server
Third Party Patch Service
Scheduling Service
Shared Services Engine
How a Scan Works
How Job Scheduling Works
Access Retina CS
Access the Client Portal
1
2
3
3
3
3
3
3
4
4
4
4
4
5
6
8
9
Retina CS Tools
Overview
Working with Smart Rules
Understanding Smart Rule Filters
Smart Rule Filters
Predefined Smart Groups
Creating an Asset Smart Rule
Creating a Vulnerabilities Smart Rule
Cloning a Smart Rule
Marking a Smart Group as Inactive
Creating an Address Group
Creating a Smart Rule based on an Address Group
Creating an Active Directory Query
Working with Attributes
Working with Tickets
Creating a Ticket
Managing Ticket Details
Marking a Ticket as Inactive
Tracking Open Tickets Using a Smart Rule
10
11
11
12
13
14
16
17
19
20
20
22
22
23
25
25
26
27
27
Reports and Scan Templates

Running a Report on Existing Scan Data
Creating Scheduled Reports
30
31
32
BeyondTrust
June 10, 2013
Retina CS UserGuide
Contents
Viewing Scheduled Reports in the Calendar View

Reviewing Report Results
Creating a Report
Creating a Report Category
Viewing and Downloading Reports
Managing Report Templates
Setting Report Output Options
Configuring Scan Settings
Working with Audit Groups
Working with Port Groups
Creating a Custom Audit
Report Templates and Audit Groups
Report Templates
Audit Groups
Regulatory Reporting Pack Audit Groups
32
33
34
34
35
36
36
38
41
42
43
46
46
54
54
Asset Management
Interpreting Scan Results on the Dashboard
Reviewing Asset Details
Risk Scores
Changing Asset Properties
Changing the Display
Setting Display Preferences
Filtering Records
Managing Jobs
Reviewing Job Details
Reviewing Scheduled Job Details
Viewing Scheduled Scans in the Calendar View
Viewing Scan Event Details
Aborting or Pausing a Job
Changing Job Page Settings
55
56
57
57
58
58
59
60
61
61
62
63
64
64
65
Mobility Scanning
Overview
Configuring a BlackBerry Connector
Configuring an Android Connector
Deploying the Application to Android Devices
Configuring Settings on Android Devices
Configuring an ActiveSync Connector
Reviewing Mobility Scan Results
Creating Custom Audits for Mobile Devices
67
67
67
69
70
70
71
72
72
Cloud Scanning
Requirements
Amazon EC2 Requirements
VMWare VCenter Requirements
74
74
74
74
BeyondTrust
June 10, 2013
ii
Retina CS UserGuide
Contents
Configuring a Cloud Connector

Scanning Paused or Offline VMWare Images
75
76
Multi Tenant
Overview
Smart Rules Manager and Browser Pane
Working with Scan Credentials
Quick Rules
Organization Filters
Patch Management Module
Mobility Connectors
Retina Protection Agents
Setting Up Organizations
Step 1 Creating a Workgroup
Step 2 Adding an Organization
Step 3 Creating a User Group for a Tenant
78
78
79
79
80
80
80
81
81
82
82
83
84
Managing Users
Creating User Groups
User Group Permissions
Access Levels
Permissions Required for Configuration Options
Creating User Accounts
Reset Retina CS Account Password
Auditing Retina CS Users
Adding Credentials
Creating an SSH Credential
Creating Oracle Credentials
Adding Credentials for Active Directory Access
85
85
87
90
90
91
92
92
93
93
94
95
Setting Retina CS Options

Account Lockout Options
Account Password Options
Auto Update Options
Display Options
Email Notifications
Maintenance Options
Proxy Settings
Refresh Settings
96
96
97
97
98
98
98
100
100
Maintenance
Viewing Status for Scanners and Agents
Determining if a Retina Agent is Available
Removing Retina Agent Files
Configuring a Failover Agent
102
102
102
103
104
BeyondTrust
June 10, 2013
iii
Retina CS UserGuide
Contents
Creating a Support Package

Diagnostics
Monitoring Services
104
106
106
II. BeyondTrust Modules
108
Retina Scanner Agents

Discovery Scanning
Running a Discovery Scan
Discovering Assets Using a Smart Group
Discovering Assets Manually
Running a Vulnerability Scan
Reviewing Vulnerability Scan Results
Creating a Quick Rule
Excluding Vulnerabilities
Malware Toolkit Vulnerabilities
Remediating Vulnerabilities
Setting CVSS Metrics
Setting CVSS Environmental Metrics
Setting Base and Temporal Metrics
Reviewing Asset Risks on the Network Map
Configuring Retina Agent Scan Options
Performance Settings
Timeout Values
Event Routing
Setting Restrictions on Scan Times
Configuring General Scan Options
Scanner Pooling
109
110
110
111
111
112
115
116
117
118
119
119
120
120
122
123
123
123
124
125
125
127
PowerBroker for Windows

Overview
Creating a Smart Group
Creating PowerBroker Rules
Including Arguments in a Rule
Marking Events to Exclude
Deploying and Managing Policies Using Retina CS
Deploying Policies
Reviewing Policies
Session Monitoring
Viewing Events on the Session Viewer
Saving Session Data
129
129
130
131
133
133
134
135
135
135
136
138

Overview
How Patching with WSUS Works
How a Patch Deployment Works
139
140
140
141
BeyondTrust
June 10, 2013
iv
Retina CS UserGuide
Contents
Connecting to a WSUS Server

Requirements
Adding a Connection
Connecting to a Downstream Server
Installing the WSUS Administration Console
Registering Smart Rules
Redeploying Configuration
Approving Patch Updates
Reviewing Patch Details
Deleting Patches
Third-Party Patching
Generating a Certificate
Subscribing to Vendor Patch Updates
List of Supported Vendors
143
143
144
145
145
146
148
148
150
151
151
152
152
154
System Center Configuration Manager

Overview
Requirements
Creating a Connection to a SCCM Site Server
Deploying a Package to a Collection
SCCM and 3rd Party Patching
Using Group Policy to Configure SCCM Assets for 3rd Party Patches
155
155
155
155
156
157
158

Overview
How RP Agent Deployments Work
Downloading Retina Protection Agents
Configuring a Default Policy
Preparing Target Assets
Using the 3rd Party Deployment Tool
Updating RPA Licenses
Deploying the Protection Policies
Storing Retina Protection Agent Serial Numbers
Reviewing Details about Protection Agents
Removing Protection Agents
Configuring Protection Policies
Working with Rules and Rule Groups
Creating a Rule Group and Setting Rules
Creating a Protection Policy
Creating a Dynamic Policy
Organizing Your Policies
Rules Reference
System Wide Firewall Rules
Application Firewall Rules
IPSSignature Rules
Trusted and Banned IPs
161
162
162
163
163
164
165
166
166
167
168
169
170
170
171
172
172
176
177
177
179
181
184
BeyondTrust
June 10, 2013
Retina CS UserGuide
Contents
Registry Protection Rules

Execution Protection Rules
File Integrity Rules
Windows Events Rules
Source Names
Trusted List Options
Miscellaneous Options
185
186
188
193
193
195
195
PowerBroker Servers for Unix & Linux

Overview
Retina CS and PowerBroker Servers Architecture
Managing PowerBroker Servers Events
Using pbreplay to Play the Logged Events
Searching the I/O Logs
Search Parameters
197
197
197
199
199
199
200
201
PasswordSafe
Overview
Configuring PasswordSafe
Creating a Connection to Your Appliance
Adding a Managed System
Managing Passwords
Requesting a Password
Approving a Password
Retrieving a Password
207
207
207
208
208
210
212
212
214
215
Regulatory Reports Pack

Compliance Scans
Healthcare Pack Compliance Scans
Finance Pack Compliance Scans
Government Pack Compliance Scans
Running a Compliance Scan
Reviewing Compliance Scan Results
216
217
217
217
217
218
219
Configuration Compliance Pack

Setting Permissions for Configuration Compliance
Managing Benchmarks
Importing Benchmarks
Setting OVAL Tests Option
220
220
221
221
222
Appendix A: Preparing Your Database Application for Scans

Preparing Your MySQL Database
223
223
BeyondTrust
June 10, 2013
vi
Retina CS UserGuide
Contents
Appendix B: BMC Remedy

Creating a Connector to your BMC Remedy Server
Exporting the Data
BeyondTrust
June 10, 2013
224
224
226
226
vii
Retina CS UserGuide

Retina CS Overview
Retina CS Tools
Asset Management
Mobility Scanning
Cloud Scanning
Multi Tenant
Managing Users
Maintenance
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
Retina CS Overview
In this section,
How a Scan Works
Accessing Retina CS
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview

Retina CS architecture follows a top-down, tiered approach to compliance
and security management throughout your organization.
Retina Network Security Scanners run vulnerability assessments, and Retina
Protection Agents can perform endpoint host security. All communication
between agents and Retina CS is encrypted and stored in a SQL Server
database.
Multiple Retina CS Servers can replicate data to produce a tiered architecture
and all management control and results are available through an Internetenabled application.
Retina CS Architecture
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
This section provides information on each of the components that Retina CS
relies on in running scans, protecting assets, etc.
Retina Network Security Scanner (RNSS agent)
The Retina Network Security Scanner is the scan engine responsible for
scanning the assets in your environment. The RNSS agent receives
instructions from the Central Policy service.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
Retina Protection Agent (RP agent)
The agent designed to protect your assets. The Retina Protection agent
provides layers of protection, including: virus and spyware, firewall,
intrusion prevention, system protection, and vulnerability assessment.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
eEye Manager Service
This component is the Retina CS web interface.
The eEye Manager Service also acts as a background service that gathers
information from the Events Client (which retrieves information from the
agents). The events are then encrypted and sent to the database.
AppBus (Application Bus)
Provides communications between BeyondTrust components and receives
events to insert in the Retina CS database. This function can also be done by
a dedicated Event Server for scalability.
Events Client
The Events Client is responsible for forwarding information gathered by the
RNSS agent and RP agent.
The Events Client sends the information to the eEye Manager Service. The
Events Client is installed when an RNSS agent or RP agent is installed.
Events Client Certificate
Generate security certificates to ensure secure transmission of data between

clients and Retina CS. Use the Retina CS Configuration Tool to generate
certificates. For more information, refer to the Retina CS Installation Guide.
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
Central Policy Server

Central Policy is a service that sends RNSS agents and RP agents their
settings. Central Policy is the component responsible for sending the agents
job information.
For example, the RNSS agent needs to know the targets and the audits to
run against those targets. This information is selected in the Retina CS
management console. When the scan starts, the Central Policy kicks the job
information to the agent.
The same for the RP agent policies. The protection policy needs to know
the policy to push out to the selected protected assets. Policies are defined
in the Retina CS management console, and when the policy is deployed, the
Central Policy kicks out the job information to the RP agent to apply to the
target asset.
Enterprise Update Server
Using the Enterprise Update Server, you can centrally manage updates for
your BeyondTrust applications, receive updates automatically or manually
and distribute updates to client systems on your network.
You can schedule automatic updates to ensure that your assets are protected
by the latest vulnerability audits.
Third Party Patch Service
Gathers third party patches and makes them available for distribution using
WSUS.
Scheduling Service
Responsible for contacting the Update server and downloading the latest
product updates and audit updates.
Shared Services Engine
Receives Retina Protection agent deployment details from the AppBus and
sends those details to the assets where the RP agent is being deployed.
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
How a Scan Works

This section provides the communication workflow between Retina CS and
the agents.
For a list of ports that Retina CS uses, see Ports Used by Retina CS.
u
Create the scan job in Retina CS Management Console. The scan job
includes details such as the IP addresses to be targeted, scan
template, and scheduling information.
The Central Policy service notifies the RNSS agent with the
instructions for the scan job.
The RNSS agent goes out to the assets as provided in the scan job
details and gathers the data based on the selected scan template.
Gathered information from the RNSS agent is passed through the

Events Client to the Retina CS Event Server. The data sent is in
.mmf format.
BeyondTrust
The Retina CS Event Server passes the information to the SQL

Server. The gathered info is normalized.
June 10, 2013
Retina CS UserGuide
Retina CS Overview
Ports Used by Retina CS
Function
Components
Port
Database
connectivity
CS to SQL Server,
1433
Event Client
RNSS and RPA to

Retina CS
RPA Central
Policy
Endpoint to Retina CS Version 1 2000
RNSS Central
Policy
RNSS to Retina CS
Update Servers
SyncIt or EUS to
BeyondTrust
443 or 80
Client Browser
User to Retina CS or
Retina Insight
443 or 80
PowerBroker
Mobile
Connector to PBM
443
Android Mobile
Connector
Android agents to
Retina CS
21691
Retina CS
replication
CS to CS for Enterprise 21692

tiering
Retina Insight to SQL

Server
21690
Version 2 443
Version 1 10001
Version 2 443

The following job scheduling overview assumes multiple scanners are used.
u
Create a Smart Rule, includes setting:

l
l
l
List of scanners
Choosing the asset distribution algorithm
Choosing the targets
Targets are determined by:

l
Assets that are in the database (Assets are already discovered).
Assets will be discovered if the following are included in the Smart

Rule:
l
BeyondTrust
Address groups
June 10, 2013
Retina CS UserGuide
Retina CS Overview
l
l
Cloud assets
LDAP queries
Asset distribution algorithm assigns scanners to assets.

For round robin assignments, targets are assigned first if their IP
address is known. Then targets are assigned to scanners by the name
of the target if it is known.
After this assignment occurs, scanners are always associated with
assigned assets.
Two .xml files are sent to the Retina scanner agent:

l
l
a file that contains job scheduling information

a file that lists the targets assigned to the scanner
Round robin assignment
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
Access Retina CS
When working in Retina CS, note that times displayed match the web
browser on the local computer (unless stated otherwise).
To log on Retina CS:
1. Select Start > All Programs > eEye Digital Security > Retina CS >
Retina CS.
You can also log on to Retina CSusing the URLprovided to you by your
Security Administrator.
2. Enter your username and password.
The default username is Administrator and the password is the
Administrator Password you set in the Retina CS Configuration wizard.
3. Click Login.
If you forget your password, click Forgot your Password? Enter your
username to have a new password sent to your registered email address.
BeyondTrust
June 10, 2013
Retina CS UserGuide
Retina CS Overview
Access the Client Portal

You can access product downloads, license keys, product documentation,
and technical support, including knowledge base articles using the client
portal. You will need your username and password provided in your product
confirmation email.
To access the client portal:
1. Using your web browser, log on to www.eEye.com/clients. The Client
Portal is displayed.
2. Type your username and password from your product confirmation
email, then click Sign In.
3. Select from one of the following options:
Product Downloads. You can access and download the most
current versions of your licensed software.
BeyondTrust
Product Licensing. You can access and manage your product

licenses.
Documentation. You can access documentation for each product as

well as additional guides, technical bulletins and knowledge base
articles, as needed. Typically the documentation set consists of
Installation Guides, Users Guides and online help systems.
Technical Support. You can access knowledge base articles,

support request forms and release notes. In addition, you can view
and update your support tickets.
June 10, 2013
Retina CS UserGuide
Retina CS Tools
Retina CS Tools
In this section,
Overview
Creating a Vulnerability Smart Rule
Creating an Always Address Group
Creating a Smart Group Based on an Address Group
Creating a Ticket
BeyondTrust
June 10, 2013
10
Retina CS UserGuide
Retina CS Tools
Overview
Retina CS provides a set of tools to help you organize assets for scanning.
Depending on the number of assets that you want to scan, or the critical
nature of some of your assets, consider organizing the assets using address
groups or Active Directory queries which can be part of a Smart Rule.
The following list provides examples on ways you can use these tools:
l
Create an IP address group that organizes assets by a range of IP

addresses, including CIDR notation and named hosts.
Use an Active Directory query that will organize assets by organizational
unit. Create a Smart Rule and use the query as your asset selection
criteria.
Change the properties for assets (after a scan runs), then use the
attributes as the selection criteria in the Smart Rule. For more
information, see Changing Asset Properties.
Scans can return a lot of information. To help you review scan results, you
can create filters and set preferences on the Assets page to easily review scan
results. For more information, see Changing the Display.

A Smart Rule is a filter that you can use to organize assets. You can organize
the assets using one of the following Smart Rules types:
Asset Smart Groups Organizes the assets based on the filters selected.
Vulnerability Smart Groups Organizes the vulnerabilities based on the

vulnerabilities filter selected.
The user must be a member of the Administrators group, or be granted the

Asset Management permission to work with Smart Rules.
Note: When a non-administrator user creates a Smart Group, that Smart
Group will automatically be associated with:
Read permissions to all user groups that the user is a member of.
Write permissions to all user groups the user is a member of and

also has the Asset Management permission. The Asset
Management permission allows the user to create a Smart Rule.
Use a Smart Rule to register assets as Smart Groups to:
BeyondTrust
Run vulnerability scans against
Apply protection policies to
Register for Patch updates
Monitor and view

June 10, 2013
11
Retina CS UserGuide
Retina CS Tools
A Smart Rule updates results automatically, ensuring that assets that match
the criteria in the rule are current.
For example, a simple filter on assets might be finding all assets in the
domain EMEA, as shown:
If an asset can no longer be contacted or no longer meets the criteria in the

rule, the rule dynamically updates. At any time when you select the Smart
Rule for a scan (for example), you can be sure the list of assets is current.
There are many filters available to you to create Smart Rules. For example,
you can filter on such properties as Asset fields, Installed Software,
Assigned Attributes, or Operating System.
You can create address groups or an Active Directory query to use as filters.
You can create these filters in the Smart Rule Manager or from the Configure
tab. For more information, see Creating an Address Group and Creating an
Active Directory Query.
You can use more than one filter to refine or extend the scope of assets in
the Smart Rule. Filters can be joined with 'and' (Match All Criteria) or 'or'
(Match Any Criteria) conditions.
If you select Match All Criteria, then every indented filter under it must
be true for an asset to be included.
If you select Match Any Criteria, then only one of the indented filter
items under it must be true for an asset to be included.
The following filter example will include all assets in the EMEA domain that
are either servers or workstations.
BeyondTrust
June 10, 2013
12
Retina CS UserGuide
Retina CS Tools
Smart Rule Filters

Review the following tables for more information about available Smart Rule
filters.
Table 1.
Asset Smart Rule Filters
Active Directory
Query
Create an LDAP query to include or exclude

assets in the selected domain.
For more information, see Creating an Active
Directory Query.
Create a group of IP addresses.
Address Group
Asset Fields
For more information, see Creating an Address

Group.
Group the Smart Group by asset fields, such as,
asset name, device ID, domain or DNS, risk, and
kind.
You can include more than one asset field filter in
the Smart Rule to refine the results.
Assets with Open

Tickets
For ticket tracking, create a Smart Rule that filters

on open tickets. The Smart Rule filter can be set
to include overdue tickets.
Create a filter based on an attribute.
Assigned Attributes
Attacks
Child Smart Rule
If the attribute is unassigned on a particular asset,

you can choose to include or exclude the asset
from the rule.
Filter assets based on attack. Select attacks from a
list, or filter on attack name or ID.
You can reuse a Smart Rule to save time when
creating new Smart Rules. This is especially useful
if the Smart Rule is a complicated set of filters.
Reusing a Smart Rule further refines the assets
that will be a part of the Smart Group.
BeyondTrust
Cloud Assets
Filter assets on the cloud connector.
Installed Software
Filter on any combination of installed software.
MAC Address
Filter by MAC address of assets.
Malware
Filter assets based on malware. Select malware

from a list, or filter on malware name or ID.
June 10, 2013
13
Retina CS UserGuide
Retina CS Tools
Filter on any combination of OS. Operating
systems included in the list are those detected in
your network.
Operating System
Assets with no OS detected, can be included or

excluded from the rule.
Ports
Filter by port group. Assets with open ports in the

port group can be included or excluded from the
rule.
Processes
Filter on any combination of processes.
Protection Agents
Filter by protection agents.
Services
Filter by any combination of service.
Vulnerabilities
Filter by vulnerability, CVSS score or vector, PCI

severity,
Vulnerability Scanners
Filter by Retina scan agent. Can filter for

responsive or unresponsive scan agents.
Windows Events
Filter by Windows events that are available in the

Windows Event Viewer (for example,
Application, Security, or System).
Workgroup
Filter by workgroup.
Table 2.
Vulnerabilities Smart Rule Filters
Child Smart Rule
Filter the vulnerabilities by child Smart Rules.
Vulnerability fields
Filter by the name of the vulnerability.
Vulnerability has
mitigation patch
Filter by patch updates that are available to

remediate the vulnerability.
Vulnerability in audit
group
Filter by audit group. For example, All Audits,

Zero Day, or any of the compliance audit groups
available.
Vulnerability severity
Filter by severity level: low, information, medium,

high.
Zero day
vulnerabilities
Filter on zero day vulnerabilities. Include or

exclude the vulnerabilities from the Smart Group.

By default there are Smart Groups already defined and created.
BeyondTrust
June 10, 2013
14
Retina CS UserGuide
Retina CS Tools
Predefined Smart Groups cannot be changed or deleted. However,
predefined Smart Groups can be marked as inactive (except for the All
Assets Smart Group) to improve performance on large databases. For more
information, see Marking a Smart Group as Inactive.
The predefined Smart Groups are displayed in the Smart Groups browser
pane and are organized in the following categories.
Table 3.
Predefined Smart Groups for Assets
Agents and Scanners
Detects assets where protection agents and Retina

scanners are deployed.
Assets and Devices
Includes default Smart Groups for all assets and all

assets labeled as workstations.
Intelligent Alerts
Includes Smart Groups that detect assets added

since yesterday, and mobile assets with critical
vulnerabilities. Intelligent Alerts are inactive by
default.
Servers
Includes Smart Groups that detect assets that are

mail servers, web servers, database servers,
domain controllers, and SCADA. Only the Web
Servers Smart Group is marked as active.
Includes Smart Groups for virtual environments,
including Microsoft Hyper-V and Parallels.
Assets detected as virtual environments are part
of these Smart Groups.
Virtualized Devices
Table 4.
BeyondTrust
This default category also includes two Smart

Groups, Virtual Servers and Virtual
Workstations. Assets that are servers or
workstations might not be detected, and
therefore, not included in the Smart Group. For
example, the asset might be a router or unknown
and will not be part of the Smart Group.
Predefined Smart Groups for Vulnerabilities
All Vulnerabilities
Includes all assets where there are vulnerabilities

detected.
Zero Day
Vulnerabilities
Includes all assets where zero day vulnerabilities

are detected.
June 10, 2013
15
Retina CS UserGuide
Retina CS Tools

You can configure an asset Smart Rule to:
Create Smart Groups
Send email alerts with a list of assets
Set attributes on assets
Create a ticket with a list of assets
Enable for Patch management
Set environmental metrics for CVSS scoring
Set scanner pooling
To create a Smart Rule:

1. Select the Assets tab.
2. Click Manage Smart Rules.
The Smart Rules Manager displays existing Smart Rules.
3. Select Asset based smart rules from the Smart Rule type list.
4. Click New Rule.

5. Enter a name and description.
6. The Active check box is selected by default. The Smart Rule is always
available for processing when Active is selected. Clear the check box so
the rule is not processed.
7. Enter a category name or select a category from the list. Use categories
to organize your Smart Rules in the Smart Groups browser pane.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the
following:
Show asset as Smart Group - When selected, the rule is displayed
in the Smart Groups pane as a Smart Group. You can select the
Smart Group to filter the list of assets in the Smart Groups pane.
BeyondTrust
June 10, 2013
16
Retina CS UserGuide
Retina CS Tools
You can also select the default view to display on the Assets page
when the Smart Group is selected.
Smart Groups are also used for running scans, applying protection
policies, and registering for patch updates.
Send an email with a list of assets - Select and enter the email
addresses for notification when the rule criteria is matched.
Emails are only sent if the list of assets that match the rule is
changed from the last time the rule was processed.
Set attributes on each asset - Select the attribute type from the list
and then select the attribute.
Create Ticket - Select tickets parameters, including ticket

assignment, severity, and email alert. For more information, see
Creating a Ticket.
Enable for Patch Management - Select to create a Smart Group

for managing patch updates to assets. For more information, see
Registering Smart Rules.
Set Environmental CVSS Metrics - Select environmental metrics

for CVSS. For more information, see Setting CVSS Metrics.
Set Scanner Properties - Select one or more Retina scanner agents

to lock to the Smart Group. See Scanner Pooling.
Export Data - Select to manage a Smart Group for the BMC

Remedy connector.
Mark each asset inactive - Assets detected as inactive will no

longer be displayed on the Assets page or in reports.
Deploy PBW Policy Select to deploy PowerBroker for Windows

policies to the assets that match the criteria selected in the Smart
Rule.
10. Click Save.

Creating a Vulnerabilities Smart Rule
You can configure a vulnerabilities Smart Rule to:
BeyondTrust
Manage vulnerabilities
Use as filters in grids and reports
June 10, 2013
17
Retina CS UserGuide
Retina CS Tools
To create a vulnerabilities Smart Rule:

The Smart Rules Manager displays existing Smart Rules.
3.
4.
5.
6.
Select Vulnerability based smart rules from the Smart Rule type list.
Click New Rule.
Enter a name and description.
The Active check box is selected by default. The Smart Rule is always
available for processing when Active is selected. Clear the check box so
the rule is not processed.
7. Enter a category name or select a category from the list. Use categories
to organize your Smart Rules in the Smart Rules Manager.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the
following:
Show vulnerability as Smart Group When selected, the rule is
displayed on the Vulnerabilities page as a filter for the list of assets
selected in the Smart Groups browser pane.
Create vulnerability audit group To create a read-only audit

group.
10. Click Save.
BeyondTrust
June 10, 2013
18
Retina CS UserGuide
Retina CS Tools

You can clone your custom Smart Rules or the predefined Smart Rules.
An example scenario: you created a Smart Rule where the 'discover assets'
option is selected and you run the rule once a month. You can clone the
Smart Rule, turn off 'discover assets', and configure the new Smart Rule to
run more frequently. This saves you time in recreating the filters in the
initial Smart Rule.
To clone a Smart Rule:
Select the Smart Rule, and then click the clone icon.
If you are using the Multi Tenant feature, select the organization from
the list, and then click OK.
3. On the Smart Rules Manager page, edit the Smart Rule filters as needed.
4. Click Save.
The Smart Rule is active only after you click Save.
BeyondTrust
June 10, 2013
19
Retina CS UserGuide
Retina CS Tools

You cannot delete predefined Smart Groups. However, if you have a lot of
Smart Groups, you can save on processing time if you mark unused Smart
Groups as inactive.
An inactive Smart Group is no longer displayed in the Smart Group browser

pane (until marked active again).

Not supported in Retina CS Community.
Create an address group then use the address group as an IP address filter
when creating a Smart Rule.
An address group can contain included or excluded IP addresses. IP
addresses are entered as an IPrange, named host, or as a CIDR block.
To work with address groups, the Retina CS user must be a member of the
Administrators group, or be assigned the Asset Management permission. See
Creating User Groups.
Creating an Always Address Group
You can create an address group and name it Always. The Retina scanner
agent is designed to recognize this address group name and includes the
group in every scan (regardless if the group is selected in the scan job).The
address group can include and exclude IP addresses.
The next time a scan runs, the address group is synchronized with the Retina
scanner agent. The IP addresses, whether included or omitted are considered
part of the scan that is running.
BeyondTrust
June 10, 2013
20
Retina CS UserGuide
Retina CS Tools
For example, the Always address group is configured with the following:
10.10.10.60 and buffett-laptop (omitted). A scan tries to scan 10.10.10.50
and buffett-laptop. The results:
10.10.10.60 is included in the scan since that IP address is added to the

Always address group
buffett-laptop is excluded from the scan since that asset is explicitly

omitted in the Always address group
10.10.10.50 is scanned as usual
Note that if an asset was scanned and then later added to the Always address
group as Omit, the asset is not scanned but might still be displayed in the
report. This only occurs with some reports.
To create an address group:
1. Click the Configure tab, and then click Address Groups.
2.
3.
4.
5.
Click + in the Address Group pane.

Enter a name for the address group.
Select the address group and then click + in the Type/Entry pane.
To create an Address Group filter:
Click New to open the New Address Group dialog box. Enter IP
addresses to include or exclude, and then click Save.
To exclude IP addresses, enter the IP addresses, and then select the
Omit this entry check box.
Click Import to import a .txt file with a list of IP addresses to

include and exclude. The list depends on your particular needs. The
list can include all IP addresses to exclude if that is how you want to
create your filter.
To exclude IP addresses, use the format: 192.x.x.x (1)
The following shows an example of how a CIDR block, an excluded
IP address, and excluded named hosts are displayed after importing:
BeyondTrust
June 10, 2013
21
Retina CS UserGuide
Retina CS Tools
Creating a Smart Rule based on an Address Group

When you are configuring an address group you can choose to create a Smart
Group based on the address group.
Create the address group and add IP addresses as described earlier. Click the
arrow as shown:
The address group Smart Group is displayed in the Smart Groups browser
pane:

Create an Active Directory query to retrieve information from Active
Directory to populate a Smart Rule. For example, create a query that uses
computer names for a selected domain.
To work with Active Directory queries, the Retina CS user must be a
member of the Administrators group, or be assigned the Asset Management
permission. See Creating User Groups.
To create an Active Directory query:
1. Click the Configure tab, and then click Active Directory Queries.
2. Click New.
3. Enter a name for the query.
4. Enter a path name or click Browse to search for a path.
On the Select Active Directory Path dialog box, the forest is
automatically detected. The Domain list is populated with the domains
in the forest. Select a container and click OK to close the dialog box.
BeyondTrust
June 10, 2013
22
Retina CS UserGuide
Retina CS Tools
5. Select a scope to apply to the container: This Object and All Child
Objects, Immediate Children Only.
6. Enter a name and description for the filter.
7. Click Advanced and enter the LDAP query details.
8. Click Credentials and provide credentials (optional).

Minimum permissions assigned for the credentials must be Read on the
computer assets that you are enumerating.
9. Click Test to ensure the query returns expected results.
10. Click Save.

You can use attributes to label assets. Set an attribute on each asset in a
group using a Smart Rule.
You can then select the attribute as a filter when you create a Smart Rule.
Select an attribute from the Assigned Attributes list in the Asset Selection
Criteria section. For more information, see Creating a Smart Rule.
BeyondTrust
June 10, 2013
23
Retina CS UserGuide
Retina CS Tools
Retina CS ships with attributes already created. You can also add attribute
types and attributes that meet your particular requirements.
You can use the Criticality attribute to weight the importance of an asset in
your environment. Assign the criticality attribute using a Smart Rule or on
the Asset Details page for an asset (see Changing Asset Properties).
To add an attribute type and attribute:
1. Click the Configure tab, and then click Attributes.
2. Click + and then select Attribute Type.
3. Type an attribute name.

4. To add an attribute, select an attribute type.
5. Click + and then select Attribute.
6. Type an attribute name.
BeyondTrust
June 10, 2013
24
Retina CS UserGuide
Retina CS Tools

In this section,
Creating a Ticket
Use the ticket system to assign tickets to members of your security team.
The team can review, remediate, and resolve vulnerabilities and attacks on
protected assets.
You can create tickets to manage the remediation of vulnerabilities, attacks,
and malware.
Ensure your user groups have the correct ticket permissions assigned. For
more information, see User Group Permissions.
Note: You can create an Active Directory user group and assign the group
ticket permissions.
The users that are members in the Active Directory group must log
on to Retina CS at least once before the user name is displayed in the
Assigned to list. Logging on also activates the email notification for
the user.
Creating a Ticket
Using the ticket system, you can create tickets for managing the life cycle of
vulnerabilities, attacks, and malware.
You can create a ticket from the following pages:
Assets
Attacks
Vulnerabilities
Malware
To create a ticket:
1. Select the arrow for a vulnerability, and then select Create Ticket.
2. Enter the details for the ticket.

BeyondTrust
June 10, 2013
25
Retina CS UserGuide
Retina CS Tools
A ticket ID is automatically generated after you save the details for the
ticket.
3. Click Save.
A Smart Rule is autogenerated when a ticket is saved. This Smart Rule is
intended to help you keep track of assets affected by the vulnerability,
attack or malware. No intervention is required by you.
The next time the Smart Rule is processed, affected assets where
solutions are applied will no longer be part of the Smart Rule. When all
assets have the solution applied, the SmartRule autogenerated ticket is
removed from the Smart Rules Manager.
The autogenerated tickets are not displayed in the Smart Rules browser
pane.
To change the details for a ticket:
1. Select the Assets tab, and then select Tickets.
2. Select i.
3. On the Ticket Details dialog box, change the ticket properties as needed.
If you select the Close status, the ticket is no longer displayed on the
Tickets pane.
4. If available, click the x revisions link to view details about activity on
the ticket.
BeyondTrust
June 10, 2013
26
Retina CS UserGuide
Retina CS Tools
5. Click Back to Ticket Details.

6. Click Save.
If a ticket is accidentally created or no longer needed, your security team
member can mark the ticket as inactive. An inactive ticket is essentially a
ticket that is deleted.
An inactive ticket is no longer displayed on the Tickets page. However, the
Retina CS administrator can always see the tickets (active or inactive).
You can mark a ticket as inactive on the Ticket Details page or from the
Smart Rules Manager.
To mark a ticket as inactive:
1. Select the Assets tab, and then select the Tickets tab.
2. Select the ticket and then click i.
3. Clear the Active check box.
4. Click Save.
The ticket is no longer displayed on the Tickets page. The inactive
ticket cannot be selected.
Use Smart Rules to track open tickets and tickets that are overdue.
To create a Smart Rule:
1. Select the Assets tab, and then click the Manage Smart Rules button.
2. Click New Rule.
3. Enter a rule name and description.
4. Select the criteria and actions as shown.
BeyondTrust
June 10, 2013
27
Retina CS UserGuide
Retina CS Tools
5. Select the Auto-close Ticket check box to close and remove the Smart
Group from the Smart Rules Manager. The ticket is only closed after all
assets are remediated.
6. Click Save.
Later, you can run the Tickets report to view a current list of open
tickets. Select the ticket Smart Group and any other relevant parameters.
BeyondTrust
June 10, 2013
28
Retina CS UserGuide

In this section,
Creating a Report
Viewing Reports
There are two report template types available:
Scanning only. For more information, see Managing Scan Report Templates.
Scanning and running reports on existing data. For more information, see
Running a Report on Existing Scan Data.
BeyondTrust
June 10, 2013
30
Retina CS UserGuide

You can run reports on scan information that is stored in the Retina CS
database.
You cannot run reports on existing data using the Protection reports.
Checkpoint
Create a Smart Group to scope the assets to include in the report.

For more information, see Creating a Smart Rule.
Reports will open in a new window. Ensure pop-up blockers are disabled for
the Retina CS web site.
To run a report on existing data:
2. Select the assets, and then click Scan.
3. Select the report, and then click Report.
4. Select the report parameters:
Note that the NONE export type provides a snapshot of the data and
produces results faster than selecting PDF output.
By default, the All check box is selected. Be sure to clear the All check
box if you want to use specific parameters for your report. Selecting All
uses all criteria available for that parameter.
5. Click Run Report.
BeyondTrust
June 10, 2013
31
Retina CS UserGuide
Creating Scheduled Reports

To schedule a report:
1. Set the report parameters as described in the preceding procedure (To
run a report on existing data).
2. Click Subscription, and then set the following:
Notify when complete - Select the check box and enter email
addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
The reports will be emailed to the users entered.
Schedule Type - Select One Time or Recurring.

If you select Recurring, select the frequency of the schedule run
times.
3. Click Save after you enter the scheduling information.

Viewing Scheduled Reports in the Calendar View
You can review the scheduled reports in a calendar that shows a summary of
the reports scheduled for the month.
To view the scheduled reports for the month:
1. Click the Jobs tab, and then click Scheduled in the Reports section.
2. Click Toggle Calendar.
3. Click the Report icon to open the report for a completed report.
BeyondTrust
June 10, 2013
32
Retina CS UserGuide

Expand the document map to view the list of vulnerabilities.
Click the link for the vulnerability in the document map list or in the main
report. You can review more information about the vulnerability such as:
description, fix information, references, and CVSS score.
If you export the report to PDF output, the list of vulnerabilities in the
document map is displayed as bookmarks in the PDF.
BeyondTrust
June 10, 2013
33
Retina CS UserGuide
Creating a Report
You can create a report template based on an existing report template.
A report template consists of:
Report output settings Select options to determine how information is

presented in the report output. Includes report sections that present the
information collected from the scan
Scan settings Select options to determine the data to collect from

assets. Includes audits, ports, and additional scan options that make up
the scan
Report templates are organized using report categories.

To create a report:
1. Click the Reports tab, and then click Manage Report Templates.
2. Click New Report.
3. Select a template and click Create.
4. Select a section and then drag section parts into the section pane.
You can enter the name of the section part in the text box to select.
Section parts vary based on the report template selected.
5. Select the Shared check box if this report template can be used by other
Retina CSusers.
6. Click Save.
7. Enter the name of the report and the report category.
8. Click Save.

A report category is a container that helps to organize similar reports. Every
report that you create must be assigned to a category.
To create a report category:
1. Click the Reports tab then click Manage Report Templates.
2. Click New Report Category.
3. Enter a name for the report category and click Create.
4. Drag an existing report from another category to populate the new
category.
BeyondTrust
June 10, 2013
34
Retina CS UserGuide
Viewing and Downloading Reports

On the Reports tab, you can:
View reports
Download a report to PDF format
Access the Manage Report Templates page. For more information, see
Managing Report Templates.
To view and download a report:

1. Click the Reports tab.
2. Select one of the following:
Double-click a report to view. Or, select a report, and then click i.
BeyondTrust
Click the download button and then click Save File to save the
report in PDF format. Enter the report name, or use the default, and
then click Save.
Click the delete button to delete the report.
June 10, 2013
35
Retina CS UserGuide

You can customize template settings, including sections in the report output
and scan settings.
To access a report template:
Click the Reports tab, and then click Manage Report Templates.
Select the report template and click the arrow to select a menu item.
Edit Report. See Setting Report Output Options.
Duplicate Report. Create a copy of the selected report. Select Edit

or Rename from the menu to continue.
Rename Report. Enter the new name when prompted.
Delete Report. Confirm the deletion when prompted.
Edit Scan Settings. See Configuring Scan Settings.

You can select the sections to include in the report, such as cover page and
report content.
To change the report output:
1. Click the Reports tab.
2. Select a report and click the arrow to display the menu.
3. Select Edit Report.
4. Select a report section.
For some reports, you can edit parameters on the Header section. Click
the pencil icon to display and select the parameters.
BeyondTrust
June 10, 2013
36
Retina CS UserGuide
5. The Section Parts pane displays the sections that you can use. Drag a
section part into the middle pane. You can also enter the name of the
Section Parts in the Search box.
6. To remove a section from the report, select the section and select the
garbage can.
7. Click Save.
8. Enter a name for the report and the report category.
9. Click Save.
BeyondTrust
June 10, 2013
37
Retina CS UserGuide

The following scan settings can be set when you are configuring an audit
scan:
Audits. An audit contains the vulnerabilities and risks that you want to
search for on your selected assets. The audit information is organized in
audit groups.
The audit groups provided are industry standard and include: SANS20
(All), SANS20(Windows), and Zero-day. For a complete list, see Audit
Groups.
Ports. Select the port or port group ranges that you want to include in
the scan.
Options. Select scan policy options, advanced options, and remote

agent settings.
To configure an audit scan:

1. Click the Reports tab, and then the click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits, and then drag an audit group to the scan settings pane.
To search for an audit group, type the audit group name in the Search
box. For more information, see Audit Groups.
5. Select Ports, and then drag port groups to the scan settings pane.
To search for a port group, type the port group name in the Search box.
For more information, see Port Groups.
6. Select Options.
BeyondTrust
June 10, 2013
38
Retina CS UserGuide

7. Expand Scan Policy Options and select the scan options:
Perform OS Detection - Determines the operating system for the
target.
Get Reverse DNS - Scans for reverse Domain Name System

(rDNS) and retrieves the domain name for the target IP address.
Get NetBIOS Name - Scans for a Network Basic Input/Output

System.
Get MAC Address - Scans for the Media Access Control address or
unique hardware number.
Perform Traceroute - Determines packet routes across an IP

network.
Enumerate [parameter] Via NetBIOS - Uses the NetBIOS protocol

to determine and list audits specified in the Audit Group.
The parameters include registry, users, shares, files, hotfixes, named
pipes, machine information, audit policy, per-user registry settings,
groups, processes, user and group privileges and software.
Maximum Number of Users to Enumerate - Sets a maximum

number of users for providing detailed descriptions.
All users are enumerated if you set the value to 0.
Hardware - Determines the hardware for the target.
Perform Web Scanning - Scans remote web servers and audits

installed applications.
Web Scan Depth - Sets the number of links to follow from the
home page.
Perform Database Scanning - Scans remote database instances.
8. Expand the Advanced Options and select the scan options:

Note: Performance issues may be experienced when running a Connect
Scan, Force Scan, and UDP Scan simultaneously. These instruct
Retina to negotiate a full connection to each port on each device.
On a Class B network, you could be waiting for 65,535 devices
to time-out on a minimum of 65,535 connections each. In
addition, stack changes in Windows XP SP2 cause connect scans
to slow greatly due to the 10 incomplete connection limit.
Enable Connect Scan Mode - Run if other methods, such as a

slow dial-up, are unreliable.
The operating system is negotiating a full connection to each device.
Because multiple port scanning methods are not used, Retina cannot
determine a number of items, such as operating system.
BeyondTrust
June 10, 2013
39
Retina CS UserGuide
Enable Force Scan - Run if the targeted devices are not going to
answer SYN or ICMP scanning.
Forces Retina to run protocol discovery on each port of each device
to determine the protocol.
Only use in a highly locked down network where the standard port
scanning methods will be filtered or blocked. Force Scan should not
be used in IP ranges.
Extended UDP Scan - Runs a complete scan on all User Datagram

Protocol (UDP) frames without timing out.
Forces Retina to expect an answer. The IP will eventually timeout.
Disable Tarpit Detection - Stops tarpit detection.

A TCP tarpit program intentionally reduces the size of data packets
to slow communication transmissions. This can cause incorrect scan
results.
To scan systems running tarpits, set the tarpit to allow unimpeded
connections from the Retina scanner.
Detailed Audit Status - Retrieves data on the port, operating

system and protocol scanned and details the vulnerabilities open,
fixed and not verified.
Randomized Target List - Uses a random list of target assets to

scan rather than a sequential list of IP addresses.
This load balances the target IP list across the network by
distributing the target list across subnets rather than running all the
targets in a subnet at the same time sequentially.
9. Expand Retina Local Scan Service Options to set the following:

Perform Local Scanning - Deploys a remote Retina scanner agent
to target assets during a scan. Deploy a remote Retina agent to run
WMI and remote registry scans.
After the scan runs, the deployed remote agent is removed from the
asset.
Enumerate Ports via Local Scan Service - Enumerates local ports

using netstat, including active connections and the program or
service using the port. OFF by default.
Enable WMI Service - Starts (and then stops) the WMI service.
The service is only active during the scan. OFF by default.
Enable Remote Registry Service - Starts (and then stops) the

remote registry on a target. The service is only active during the
scan. OFF by default.
10. Click Update.

BeyondTrust
June 10, 2013
40
Retina CS UserGuide

Retina CS ships with audit groups that are populated with audits. Each audit
group has a preconfigured set of audits.
On the Scan settings page for an audit group, you can:
Change the audits in the audit group
Create an audit group
Copy an audit group
Create an audit. For more information, see Creating a Custom Audit.
Revert the settings to the default values
Note that you cannot delete an audit group that ships with Retina CS.
To manage audit groups:
1. Click the Reports tab and then the click Manage Report Templates.
2. Select a report and click the arrow to display the menu.
3. Select Edit Scan Settings.

4. Select Audits in the Settings pane.
To search for an audit group, type the name in the Search box.
5. Click Manage in the Audit Groups pane to:
Edit an audit Select the audit and click the pencil icon. You cannot
change all audits. Select All Editable Audits from the Show list to
display all audits that you can change.
BeyondTrust
Create an audit group Click + at the bottom of the Audit Groups

pane. Enter the name of the new audit group.
June 10, 2013
41
Retina CS UserGuide
Copy an audit group Click
. Enter a name and click Copy.
Edit an audit group Select the audit group from the Audit Groups
pane. You can also type the name of the audit group in the box to
search for the audit group.
6. Select the Automatically enable new audits in this group check box
to add all the new audits selected when created.
7. Click Revert to revert to either the last saved version of the selected
audit group or the default value.
8. Click Update.
Port groups contain the list of ports to scan. You can change the ports
assigned in a port group, add port groups that will be available to all audit
scans, and delete port groups.
Retina CS ships with port groups already configured with a range of ports
(for example, HTTP Ports and Discovery Ports). Note that you cannot
delete a port group that ships with Retina CS.
To change port groups:
1. Click the Reports tab and then click Manage Report Templates.
2.
3.
4.
5.
Select the report and click the arrow to display the menu.
Select Edit Scan Settings.
Select Ports in the Settings pane.
Click Manage in the Port Groups pane to:
Use the Grid Size slider to adjust the view.
Add a port group Click + on the Port Groups pane. Enter the
name of the port group and click Create.
Edit a port group Select the port group from the Port Groups pane.
You can also type the name of the port group in the box to search for
and display the port group.
Remove a port from a group Select the port, and then select Clear
from the Protocol menu.
Add a port or group of ports Select the ports, and then select the
protocol from the list: Both, TCP, UDP. The grid is updated with
the corresponding color of the protocol.
To select multiple ports, drag and click on the range. Alternatively,
enter the port number or port number range in the Select Ports box
and click the arrow.
6. Click Revert to cancel your changes.

7. Click Update.
BeyondTrust
June 10, 2013
42
Retina CS UserGuide

You can create an audit that addresses particular risks or vulnerabilities that
you want to protect your assets from.
You can select the rule category, risk level associated with the rule, audit
type and details. For example, you can create the following audit: ensure the
latest service pack and particular hotfix has been installed for Windows 2003
OS 32-bit/64-bit.
To create customized audit scan settings:
1. Click the Reports tab, and then the click Manage Report Templates.
2.
3.
4.
5.
6.
7.
8.
Select the report and click the arrow to display the menu.
Select Edit Scan Settings.
Select Audits in the Settings pane.
Click Manage in the Audit Groups pane.
Click +New Audit to start the Audit wizard.
Click Next.
On the Audit Description page:
a Type the audit name.
b. Select the audit category, such as Database, Mail Servers,
Miscellaneous, or Windows.
c. From the Risk Level list, select the severity level that
corresponds to the severity of the vulnerability:
High - Risks that allow a non-trusted user to take control of a
susceptible host.
Vulnerabilities that severely impact the overall safety and
usability of the network.
Medium - Risks that are serious security threats and would

allow a trusted but non-privileged user to complete control of a
host or would permit a non-trusted user to disrupt service or gain
access to sensitive information.
Low - Risks associated with specific or unlikely circumstances.

These vulnerabilities can provide an attacker with information
that could be combined with higher-risk vulnerabilities to
compromise the host or users.
Information - Host information that does not necessarily

represent a security threat, but can be useful to the administrator
to assess the security. These alerts are displayed with the list of
vulnerabilities.
d. Describe the vulnerability.

e. Describe how to remediate, investigate or mitigate the
vulnerability.
BeyondTrust
June 10, 2013
43
Retina CS UserGuide

9. On the Audit Type page, select the type of audit:
Banner - Determines vulnerabilities in the banner information, such
as firewall name, IP addresses and server name.
CGI Script - Determines vulnerabilities in the common gateway

interface that passes a Web user's request to an application program
and to receive data back to forward to the user.
Registry - Detects vulnerabilities by scanning registry entries and

values.
Hotfix - Determines vulnerabilities by scanning service packs,

hotfixes and patches.
File Version - Determines if a file exists. The audit can check if the
file exists or not.
File Checksum - Determines vulnerabilities based on file checksum

comparisons.
Supported values include: MD5, SHA1, SHA256.
Network performance issues might occur if you use this feature. Use
this feature with caution.
Remote Check - Verifies if a specific Unix program or patch is

installed on an operating system.
Mobile Software - Determines if software exists for mobile devices.
BlackBerry Device - Determines vulnerabilities based on

BlackBerry device specifications.
Share - Determines if a share is accessed by unauthorized users.
The Audit Details page displays parameters based on the audit type that
you select in step 9.
10. Enter the information for the audit type, and then click Next.
Banner audit details - Select the banner protocol, and then type the
banner name.
CGI Script audit details - Type the URL path to the script name.
Registry - Select Path, Key, or Value from the menu. Select the
operating systems that the vulnerability affects.
Note that the registry path cannot contain the selected Hive value.
BeyondTrust
Service Pack Hotfix - Determines vulnerabilities by scanning

service packs, hotfixes and patches.
File Version - Verifies the software version.
June 10, 2013
44
Retina CS UserGuide

Enter the file name, set file version information (optional), and select
operating systems to check.
File Checksum - Select the file checksum from the list.

Enter a file name, checksum value, and file version. Use an asterisk
(*) to compare all file versions.
Remote Check - Verifies if a specific Unix program or patch is

installed on an operating system.
Mobile Software - Enter the name of the software, and set if software
exists. Can also audit on the version number.
BlackBerry Device - Enter model, serial number, device ID,

platform version, and OS version.
Share - Select user account access on the share, type of access on the
share, and OS version. Optionally, list the accounts by SID.
11. On the Vulnerability Details page, enter the BugTraq and CVE details, as
needed.
BugTraq - A security portal dedicated to issues about computer
security, such as vulnerabilities, methods of exploitation and
remediation.
CVE - Common Vulnerabilities and Exposures is a dictionary of

publicly known information security vulnerabilities and exposures.
CVEs common identifiers enable data exchange between security
products and provide a baseline index point for evaluating coverage
of tools and services.
12. On the Audit Wizard Summary page, click the pencil to change the audit
information.
13. Click Finish.
BeyondTrust
June 10, 2013
45
Retina CS UserGuide
Report Templates and Audit Groups

Not all report templates or audit groups are supported in Retina CS
Community.
The following tables list the report templates and audit groups available with
Retina CS.
You can run reports on existing scan information that is stored in the Retina
CS database.
You can run all reports from Retina Insight. For more information, refer to
the Retina Insight User Guide.
Report Templates
Table 5.
Vulnerabilities
Report Name
Description
Access
Lists targets that are inaccessible and includes a

reason. For example, the target does not exist on
the network, or administrative rights were not
provided.
All Audits Scan
Lists all vulnerabilities found.

Drill down by vulnerability to review more
information, such as fixes, references, exploits and
affected assets.
Discovery Scan
Lists the targets found on the network, including:

workstations, routers, laptops, printers.
Credentials are not required for a discovery scan.
PCI Compliance
Report
Details the vulnerability results of PCI security

scans.
Payment Card Industry Data Security Standard (PCI
DSS) specifies security requirements for merchants
and service providers that store, process, or
transmit cardholder data. PCI Security scans are
conducted over the Internet by an Approved
Scanning Vendor (ASV).
The Retail Report pack is required for this report.
BeyondTrust
June 10, 2013
46
Retina CS UserGuide

Report Name
Description
Vulnerabilities by
Reference
Lists vulnerabilities by CVE reference ID.
Vulnerabilities
Delta
Provides the vulnerability differences between two

scans.
Vulnerabilities
Lists vulnerabilities grouped by assets.
Drill down into an ID for more information, such as

assets affected and potential fixes.
The report details the vulnerabilities with criticality,

descriptions, fix information and references. The
references provide a link to the CVE web site. You
can run custom or standard reports to review the
system, users and security issues.
Vulnerability
Exclusions
Lists vulnerabilities that are set to exclude. Includes

the expiry date and reason properties.
Vulnerability Export Provides a tabular list of all vulnerabilities

discovered and their associated details.
The Attacks report uses information gathered by Retina Protection Agents.
Table 6.
Attacks
Report Name
Description
Attack
Displays the total number of attacks, attacks per

asset, assets attacked, attacker IP address, a list of
the top x attacks, criticality and trends over time.
Drill down into each attack for more information,
such as action, port, protocol, and attacker.
Malware
Displays the total number of malware attacks, a list

of the top x malware attacks, trends over time, and
assets affected.
Drill down into each malware attack for more
information, such as location of the malware, asset
and IP address, etc.
Delta reports are useful for comparing changes such as add/remove of user
accounts, software, OS upgrades.
BeyondTrust
June 10, 2013
47
Retina CS UserGuide

Table 7.
Assets
Report Name
Description
Asset Export
Displays assets in a selected scan in a .csv format.

Information includes: the asset name, IP address,
DNS, domain and operating system.
Assets
Provides asset and risk information by hardware,

MAC address, operating system, port, process,
services, share and user account.
OS Delta
Displays the differences in operating systems

between two scans.
OS
Lists top 100 and bottom 100 discovered operating

systems.
Assets are grouped by OS. IP address, asset name,
DNS name and risk.
Port Delta
Displays the port differences between two scans.
Port
Lists top 100 and bottom 100 discovered ports for

the assets included in the scan.
Assets are grouped by port. IP address, asset, DNS
and risk level are included.
Click an asset to drill down to more information:
vulnerabilities, MAC address, ports, processes, and
more.
Protection Agent
Configuration
Displays the policies applied on an asset.
Service Delta
Details the service differences between two scans.
Service
Lists top 100 and bottom 100 discovered services

for the assets included in the scan.
Retina Protection Agent module.
Assets are grouped by service. IP address, asset

name, DNS name, and risk level are included.
more.
Share Delta
BeyondTrust
Displays the shares differences between two scans.
June 10, 2013
48
Retina CS UserGuide

Report Name
Description
Share
Provides a summary of top and bottom shares and a

breakdown by IP address, asset name, DNS name,
operating system and criticality.
Software
Lists top 100 and bottom 100 discovered software

for the assets included in the scan.
Assets are grouped by software. IP address, asset
name, DNS name, and risk level are included.
more.
Software Delta
Displays the software differences between two

scans.
User Delta
Lists the number of new, unchanged and removed

users.
Drill down by asset to review a summary of the user
updates.
User
Lists top 100 and bottom 100 discovered users for

the assets included in the scan.
Assets are grouped by user. IP address, asset name,
DNS name, and risk level are included.
Windows Event
Report
Lists Windows event types based on your selection:

Application, System, Security.
Retina Protection Agent module required.
Table 8.
Executive Overview
Report Name
Description
Executive Summary Provides an overview summary of assets and trends,

such as audits by machine and audits by severity.
Table 9.
BeyondTrust
Patches
Report Name
Description
Patches
Lists the assets included in the scan and the number

of patches that need to be applied to each asset.
June 10, 2013
49
Retina CS UserGuide

Report Name
Description
Lists each patch available and includes a link to more
information for the patch. Each patch also provides
the name of the violated audit.
Table 10.
Hardware
Report Name
Description
Hardware Delta
Lists a summary of hardware differences between

two scans.
Drill down by asset to review differences.
Hardware
Table 11.
Lists the hardware discovered on each asset included

in the scan.
Regulatory Compliance
Report Name
Description
COBiT
Compliance
Provides a report that ensures your environment

satisfies the framework identified in the COBiT
framework.
Additional components: Any report pack.
FERC-NERC
Maps monitored controls to NERC requirements.

Additional components: Government report pack.
GLBA Compliance Provides security risk assessments that satisfy the

requirements in the GLBA.
Additional components: Financial report pack.
HIPAA
Compliance
Maps configuration, patch and zero-day

vulnerabilities to HIPAA security rules.
Running a scan using the default scan settings
ensures compliance to Section 164.308
Administrative safeguards, (a)(8) Standard:
Evaluation.
Additional components: Healthcare report pack.
BeyondTrust
June 10, 2013
50
Retina CS UserGuide

Report Name
Description
HITRUST
Compliance
Displays vulnerabilities mapped to HITRUST

regulatory compliance standards. Supported sections
from the standard and vulnerability counts are
displayed.
ISO-27002
Compliance
Maps configuration, patch and zero-day vulnerabilities

to satisfy ISO-27002.
ITIL Compliance
Maps compliance violations and vulnerabilities back

to ITIL best categories.
MASS 201

vulnerabilities to MASS 201.
NIST 800-53

vulnerabilities to NIST 800-53 standard used to
support FISMA compliance.
SOX Compliance

vulnerabilities to defined SOX requirements.
Additional components: Retail or Healthcare report pack.
Table 12.
Protection
Report Name
Description
Protection Policy
Provides a summary of differences in a protection
Differences Report policy.
You cannot run reports on existing data for the
Protection reports. This report is intended to provide
configuration information for your Retina Protection
agent policies.
Table 13.
BeyondTrust
Configuration Compliance
Report Name
Description
Benchmark
Compliance
Runs a benchmark scan based on a selected

benchmark template and policy.
June 10, 2013
51
Retina CS UserGuide

Report Name
Description
Benchmark Export Provides a summary of differences in a benchmark

policy.
Additional components: Configuration Compliance module
Table 14.
Patch Management
Report Name
Description
Approved Patches
Lists assets where patches are approved.
Installed Patches
Lists installed patches.
Required Patches
Lists required patches.
Additional components: Patch Management module

Table 15.
Tickets
Report Name
Description
Ticket
Displays details such as Status (Open, New, Closed),

Severity, Assigned user, due date, ID, and ticket
title.
Table 16.
Mobility
Report Name
Description
Mobile Assets
Lists mobile assets discovered.
Mobile
Vulnerabilities
Lists vulnerabilities associated with mobile assets.
Table 17.
PowerBroker Windows
Report Name
Description
Application ActiveX Displays information about installation events for

Details
ActiveX controls in Internet Explorer.
Applications by
Computer
Displays information about application usage on a

client.
Applications By
Hash
Displays information about all applications under

management tracked by hash code.
Details include, hash code of the binary file,
application name, file version, product name, and
certificate publisher, etc.
BeyondTrust
June 10, 2013
52
Retina CS UserGuide

Report Name
Description
Applications By
Path
Displays information about all applications under

management tracked by launch path.
Dashboard Report
Displays charts about the applications most

frequently launched, requiring elevation, triggering
User Account Control (UAC), launched by Shell
rule.
Also, charts about ActiveX controls, rules applied,
local administrators, and the ratio of administrator
users to standard users.
BeyondTrust
File Integrity by
Asset
Displays the assets managed using PowerBroker for

Windows File Integrity rules.
File Integrity by
Rule
Displays the assets organized by the PowerBroker for

Windows rules.
Shell Rule
Executions
Displays information about all applications that run

based on a shell-rule.
June 10, 2013
53
Retina CS UserGuide
Audit Groups
Access Scan
All Audits
Android
ActiveSync
BlackbBerry
Databases
Database Servers
Domain Controllers
FDCC-Windows XP
FDCC-Windows Vista
Mail Servers
SANS20 (All)
Secure Audits Configuration
SANS20 (Unix)
SCADA
SANS20 (Windows)
Third Party Patch Assessment
Virtualization
Web Applications
Zero-Day
Regulatory Reporting Pack Audit Groups
COBiT Compliance
GLBA Compliance
HIPAA Compliance
HITRUST
ITIL Compliance
ISO-27002 Compliance
NERC/FERC Compliance
Mass 201 CMR 17 Compliance
PCI Compliance
NIST 800-53 Compliance
SOX Compliance
BeyondTrust
June 10, 2013
54
Retina CS UserGuide
Asset Management
Asset Management
In this section,
Risk Scores
Filtering Records
Managing Jobs
BeyondTrust
June 10, 2013
55
Retina CS UserGuide
Asset Management

To review scan results:
1. Log on to Retina CS.
2. Select a date tab to update the view with metrics for the selected date
range.
3. Select the Custom dates tab and click the arrow to select a date range.
The middle pane displays the following information:
Overall Threat Level Plots attacks and vulnerabilities over time

by severity. Change the Counts to display the results by type. Click
on the graph to expand the display.
Anomalies Displays higher frequency

malware/virus/spyware/attack/vulnerability occurrences, assets
with higher risk, ports/software with lower frequency, expired
reports, expired scans, and long scans.
AssetRisk Displays the risk for all assets in the environment.

Hover over the pie chart to display the percent call out. The values
on the chart are calculated every 4 hours. For more information on
risk scores, see Risk Scores.
The lower pane displays the following information:
BeyondTrust
Critical Alerts The event date and description.
Operational Status Information about scheduled scans.
Completed Reports The reports that ran.
June 10, 2013
56
Retina CS UserGuide
Asset Management
1. Click Show Status to display status detail, including the names of scans.
Hover over the job icon to see more details.
2. Click the refresh button to update the information on the dashboard.

On the Assets tab you can review your protected assets and determine if
there are vulnerabilities, attacks, or malware compromising your assets.
To review asset information:
1. Select the Assets tab, and then select a Smart Group.
Click
and
to expand the assets pane.
2. Select an asset, and then click i.

You can change properties for an asset. Click Edit. For more
information, see Changing Asset Properties.
On the Assets Details pane, select an item to review more information:
Risk Scores
The risk score indicates the potential for an asset to be attacked. You can
use the risk score to determine which assets need the most urgent attention.
The asset risk score is calculated using factors such as: vulnerability, number
of attacks, exposure (open ports, number of users, shares, for example), and
overall threat level.
Risk scores range from 0 to 9.99:
BeyondTrust
0 indicates a low risk or there is no data available to determine a

potential risk.
9.99 indicates the highest risk. Asset is most vulnerable to an attack.
June 10, 2013
57
Retina CS UserGuide
Asset Management
An asset risk score is displayed in the following areas:
Pie chart on the Dashboard page
On the Assets tab
Details page for each asset

You can use the Asset wizard to change the following asset properties:
owner, active, and asset attributes such as business unit.
Assign or change attributes to help organize and identify assets. For more
information about attributes, see Working with Attributes.
Run a discovery scan to populate the Assets pane.
To change the details for an asset:
2. Select an asset, and then click the i.
Alternatively, double-click the asset to open the asset details pane.
3.
4.
5.
6.
On the Asset Details pane, click Edit.

Click Next on the Welcome page of the Asset wizard.
On the Edit Asset Details page, select the asset properties.
On the Edit Asset Attributes page, select the attribute values and then
click Next.
The default attributes that you can apply are: Geography, Business Unit,
Criticality, and Manufacturer.
7. Review the settings, and then click Finish.

You can change the information displayed on Retina CS pages, including:
BeyondTrust
Columns
Number of records displayed at one time
June 10, 2013
58
Retina CS UserGuide
Asset Management
Create filters to display records that meet the filter criteria

You can set display preferences on the following pages:
Assets page
Vulnerabilities page
Agents page
Jobs page
User Audits page
Note that you can display a Domain and filter by Domain. If the domain
name is not known or the asset is not part of a domain, then the field is
blank. The Domain filter is not displayed by default.
To set display preferences:
2. Click the preferences button.
3. On the Preferences dialog box, set the following:

Columns to Show - Select the check boxes for the columns that
you want to display.
Show Filter - Select to always display the filtering text boxes and
lists.
For more information, see Filtering Records.
Records Per Page - Select the number of records to display at one

time.
4. Click OK to close the Preferences dialog box.

5. Click
to open the Save Preferences dialog box.
6. Select display settings, and then click Save Preferences.
BeyondTrust
June 10, 2013
59
Retina CS UserGuide
Asset Management
Filtering Records
Create a filter to match certain records that you want to view on the page.
To set filtering on assets:
2. Select the show filter button to display the filter options.
3. Enter filter criteria and click
BeyondTrust
June 10, 2013
60
Retina CS UserGuide
Asset Management
Managing Jobs
On the Jobs page, you can review:
Active, scheduled, and completed scan jobs
Active and completed Retina Protection agent deployments
Active, scheduled, and completed reports
View scheduled scans and scheduled reports in a calendar view
SCCM package deployment status
Windows event details

You can review job details for a scan (running or complete).
On the Job Details page, you can review the number of assets scanned, the
number of processes successfully scanned, credentials used for the scan, and
a drill-down to the assets scanned.
A target is defined in a scan as a combination of: a single IP address, a
computer name, a list of IP addresses, a list of computer names, an IP range,
and cloud devices.
An asset is a device that is discovered from the range of targets defined in
the scan. For example, the scan properties include these IP addresses in a
range: 10.100.10.20 and 10.100.10.21. During the scan, there might not be a
device attached to 10.100.10.20. That will be reflected in the number
shown in the Targets and Assets displayed on the job details page.
The agent name indicates if the scanner is in a scanner pool. For more
information, see Scanner Pooling.
To review job details:
1. Select the Jobs tab.
2. Select the Active tab for the Scans section.
3. Double-click a job to open the Job Details pane.
In the following example, you can review the job details while the job is
in progress.
BeyondTrust
June 10, 2013
61
Retina CS UserGuide
Asset Management

You can change the following settings for a scheduled job:
Job name
Smart Rule
Credentials
Schedule
The Last Refresh Date indicates the date when the Smart Rule was
processed. Assets added or removed after the Last Refresh Date are not
reflected in the Smart Rule.
The Smart Rules are processed every 6 hours. Depending on the schedule
and how frequently assets change in your environment, you might want to
change the refresh rate. Otherwise, assets might not be included in the scan
as you expect. For more information, see Refresh Settings.
BeyondTrust
June 10, 2013
62
Retina CS UserGuide
Asset Management
Viewing Scheduled Scans in the Calendar View

You can review the scheduled scans in a calendar that shows a summary of
the scans scheduled for the month.
To view the scheduled scans for the month:
1. Click the Jobs tab, and then click Scheduled in the Scans section.
2. Click Toggle Calendar.
3. Click the Report icon to open the report for a completed scan.
BeyondTrust
June 10, 2013
63
Retina CS UserGuide
Asset Management

You can review a summary of the gathered scan events.
BeyondTrust
June 10, 2013
64
Retina CS UserGuide
Asset Management

Click the Job Page settings icon to change display settings.
On the Job Grid Settings dialog box, you can configure the default job type,
refresh intervals, and the maximum number of assets displayed on the page.
BeyondTrust
June 10, 2013
65
Retina CS UserGuide
Mobility Scanning
Mobility Scanning
In this section,
Overview
Configuring a PowerBroker Mobile Connector
Overview
A mobility scan scans mobile devices against scan templates to determine if
there are any vulnerabilities.
You can use the predefined scan templates that ship with Retina CS or create
a custom scan template. Create a custom template to scan for particular
device software and hardware versions, for example.
Running a mobility scan also retrieves information such as device ID, model,
and serial number on BlackBerry, Android, and mobile devices on
ActiveSync server.
After you create a mobility connector, a Smart Group is created. The Smart
Group name is the same as the connector name. The Smart Group is
populated with the devices that are detected when a scan runs.

The BES connector, which uses RIM API technology, establishes a
connection to the BlackBerry Admin service to retrieve the device
information.
Mobility scans run on the Retina CS server, and do not use a scanning agent.
To configure a BlackBerry connector:
1. Click the Configure tab.
2. Click the Mobile tab.
3. Click + in the Mobility Connectors pane, and select BlackBerry.
BeyondTrust
June 10, 2013
67
Retina CS UserGuide
Mobility Scanning
General - Enter a name and description for the connector.
Connection Details - Enter the information for the BES host.

Use the port number where BES is configured to listen. Confirm the
port number in your BlackBerry Admin service configuration.
Scan Options - Select an audit group.
Synchronization - Select a synchronization schedule.
During a synchronization, all BlackBerry devices connected to the BES

host are detected, including software versions and any vulnerabilities
found based on the audit group selected.
4. Click Update.
5. To run the scan now, click Scan Now.
Scan Now is only available after you click Update.
A Smart Group is populated with the devices that are detected when the
connector is created. Go to the Assets page to see the new Smart Group.
BeyondTrust
June 10, 2013
68
Retina CS UserGuide
Mobility Scanning

To configure a connection to an Android mobile device:
Create connection details on the Configure tab.
Create a configuration file that you can email to your mobile device
users.
When a valid connection is established the audits will be downloaded to the

mobile device. Scan results are then uploaded to the Retina CS server.
To configure an Android connector:
3. Click + in the Mobility Connectors pane, and select Android.
Connection Details - Enter the authentication key for the Android

connector.
Note that this connector opens the 21691 port to communicate to
Android devices. Ensure this port is available.
Distribution - Click Prepare Configuration File to generate a file

that contains the server information for the connector.
The device user needs the password to run the configuration file.
Select the check box to allow Android devices that are using the
configuration file to communicate to the server using an untrusted SSL
certificate.
Although this option is available, it is recommended to use a trusted SSL
certificate.
4. Click Update.
BeyondTrust
June 10, 2013
69
Retina CS UserGuide
Mobility Scanning
After you create a connector, an Android connector Smart Group is
displayed in the Assets pane.
If you using a configuration file, you can distribute the file now using email.
Be sure to provide the configuration file password using another method so
the Retina CS Server information in the configuration file remains secure.

BeyondTrust Scanner for Android is available on Google Play.
If you do not want to install the BeyondTrustScanner using Google Play,
you can download the Android Package (APK) file from the Android
Connector page. To install the BeyondTrustScanner APK on an Android
Device, you must enable the Unknown Sources setting.
You can manually deploy the app in the following ways:
Email
Ensure your Android devices are configured to receive email.
Email the APK file to the user's email address.
Select the attachment to start the installation. The Android

application installation dialog box is displayed.
USB
Connect the Android device to your workstation. If prompted,

enable USB File Sharing and Mass Storage modes.
After your workstation recognizes the device, copy the APK file.
Using a file management app from the Android Market (such as

EStrongs File Manager or Linda), open the APK file to start the
installation. The Android app installation dialog is displayed.
After the application has been manually installed on the device,

disable the Unknown Sources setting.

After the BeyondTrustScanner is installed on the device, the device user can
run the configuration file. The user must enter the configuration file
password before the BeyondTrustScanner is automatically configured with
the Server information in the file.
If you chose not to distribute the configuration file to your users, you can
manually configure each mobile device using the BeyondTrustScanner
Applications Settings.
BeyondTrust
June 10, 2013
70
Retina CS UserGuide
Mobility Scanning
Note that after the mobile device is configured to communicate with a
Retina CS Server, the Scan Time is dictated by the Android Connector. Any
Scan Time values that have been previously configured in the
BeyondTrustScanner Application will be ignored.
To manually configure the Android application:
1. Tap the BeyondTrustScanner application.
2. Set the following on each device:
Notifications - Tap to turn on notifications.
Updates on the status of scans are displayed to the user.
Asset Name - Tap to enter the name for the asset.

This is the name that will be displayed on the Asset Details pane in
Retina CS. By default, this is the users Google account name.
Allow Untrusted SSL - Tap to allow untrusted SSL.
Authentication Code - Enter the authentication code that you

entered when configuring the connection in Retina CS.
Server - Enter the IP address and port for the Retina CS server.
Enter the default port (21691) that is opened when a connector is
created.
3. Click Synchronize.
If your server settings are correct and your server is accessible, a list of
Android Connectors that match the Authentication Code are displayed.
4. To register the device with the Retina CS Server, select an Android
Connector from the list.

Create a connector to an ActiveSync server to scan all mobile devices
associated with the server.
Note that currently, Retina CS supports Windows Phone 7, iPhones, and
Android mobile devices. While other mobile device types will be detected
and scanned, some information might not be displayed (such as device type,
model, OS).
To configure an ActiveSync connector:
3. Click + in the Mobility Connectors pane, and select ActiveSync.
BeyondTrust
June 10, 2013
71
Retina CS UserGuide
Mobility Scanning
Connection Details - Click the Browse button to select the forest

and domain where the Exchange Server resides.
Credentials - Enter the credentials that can access the Exchange

Server.
4. Click Update.
After you create a connector, an ActiveSync Smart Group is displayed in the
Assets pane. The Smart Group will be populated with assets after a scan
runs.

You can review scan results on the Mobile tab.
Double-click a device to open the details page:

You can create a custom audit for your mobile devices.
BeyondTrust
June 10, 2013
72
Retina CS UserGuide
Mobility Scanning
The procedure to create a custom audit is the same as in Creating a Custom
Audit.
You can review the following table for details on audit types and audit
details that are specific to mobile devices.
BeyondTrust
Audit Type
Audit Details
Mobile Software
Provide information, including:software, if the

software exists, operating systems and versions.
BlackBerry
Device
Provide attributes for BlackBerry devices: model,

serial number, device ID, version, and operating
systems.
ActiveSync
Device
Provide a list of device types and operating systems.
Android Device
Choose from a list of Android attributes, including:

model, manufacturer, release
June 10, 2013
73
Retina CS UserGuide
Cloud Scanning
Cloud Scanning
In this section,
Requirements
You can run scans on the following cloud types: Amazon EC2, VMWare
vCenter, GoGrid, Rackspace, and IBM SmartCloud.
Requirements
Before you create a cloud connector, ensure the following requirements are
in place.
To use the Amazon EC2 connector, you must adhere to the following
recommendations from Amazon:
User accounts must have minimal permissions assigned (for example,

describe instances)
Small or Micro instances cannot be scanned.
The following minimum permissions are required to successfully enumerate

a list of targets and run a scan:
ec2:DescribeInstances
ec2:DescribeInstanceStatus
ec2:StartInstances
ec2:StopInstances
ec2:DescribeImages

You can scan VMWare virtual machines.
Ensure the following requirements are in place before you configure the
VMWare connector in Retina CS.
BeyondTrust
Retina 5.17 or later

June 10, 2013
74
Retina CS UserGuide
Cloud Scanning
Retina CS 3.5 or later
VMWare Tools must be installed on the targets that you want to scan.
Log on to the VMWare web site and download the Virtual Disk
Development Kit (VDDK):
http://www.vmware.com/support/developer/vddk/
Retina only supports version 5.1 of the VDDK. Ensure you copy the
following file: VMware-vix-disklib-5.1.0-774844.i386.exe
Run the VDDK installer on the Retina computer using local

Administrator credentials.
Retina CS needs access to https://<VMWare server>/sdk through port

443.

You can configure a cloud connector in one of the following ways:
On the Configure tab.
On-the-fly when you are creating a cloud connector Smart Group.
To configure a cloud connector and Smart Group:

1. Select the Assets tab, and then click Manage Smart Rules.
2. Click New Rule, and then enter the name, description, and category.
3. Select Cloud Assets from the Asset Selection Criteria section.
4. Click the browse button to open the Manage Cloud Connections dialog
box.
5. Click New.
6. Enter a title, and then select the provider: Amazon E2, VMWare
VCenter, GoGrid, Rackspace, or IBM SmartCloud.
7. On the New Connection dialog box, enter the connector information:
Amazon - For Amazon cloud connections, you must enter the
region, access key ID, and secret access key.
Instances associated with the region are displayed in the Connection
Test Results section.
VMWare vCenter - For VMWare cloud connections, enter the

VMWare server name and credentials.
Click Advanced to set a network for a VM if that VM needs to be
turned on.
If you scan snapshots, the results are displayed as attributes on the
details pane for the VM.
BeyondTrust
GoGrid - Select the account type, enter the user name and API key.
June 10, 2013
75
Retina CS UserGuide
Cloud Scanning
Rackspace - Select the account type, enter the user name and API
key.
IBM SmartCloud - Select the region, enter the user name and
password.
After you configure the connector, click Test to ensure the connector
works.
8. Click Save.
9. In the Perform Actions area of the Smart Rules Manager, select Show
asset as Smart Group, and then click Save.
After you create a cloud connector, you can run a scan and review the results
to determine if any cloud assets are vulnerable.
By default, paused or offline VMs are turned on during a scan. After the scan
runs, the VMs are reverted to the paused or offline state. To scan offline
VMs, see Scanning VMDK Files.
If you suspect that a VM is suspicious, you can turn on the VM in another
secure network where other VMs will not be under potential threat. The
scan runs as usual, then the VM is reverted to the paused or offline state.
When creating the connector click the Advanced button. You can configure
each host that is a member of the vCenter instance.
The option that you select applies to all VMs on the host.
Note: The advanced options dialog box varies depending on your vCenter
configuration. The list of available options includes all other
networks configured for your vCenter instance or on your ESX
server.
BeyondTrust
June 10, 2013
76
Retina CS UserGuide
Cloud Scanning
Scanning VMDK Files
You can scan a VMDK file rather than turning on a VM. Ensure the check
box is selected as shown.
Scan times are faster when VMs remain powered off. However, scan results
might differ from scan results for VMs powered on (for example, open ports
and running processes might not be detected for VMs powered off).
BeyondTrust
June 10, 2013
77
Retina CS UserGuide
Multi Tenant
Multi Tenant
Overview
Smart Rules Manager
Working with Credentials
Quick Rules
Mobility Connectors
Overview
The Multi Tenant feature in Retina CS allows you to define multiple
organizations (or tenants) where each organizations asset data is kept
isolated from all other organizations. Only Smart Rules marked as Global can
combine asset data across multiple organizations.
Most Retina CS features are available with Multi Tenant, including:
Smart Rules
Patch management module
Mobility connectors
Features not available, include: exclusions, tickets, and report templates.
BeyondTrust
June 10, 2013
78
Retina CS UserGuide
Multi Tenant
Smart Rules Manager and Browser Pane

All of the pre-packaged Smart Rules are part of the Global rules. When a prepackaged Smart Rule is turned on, then the Smart Rule applies to all assets in
every organization. You can select the Global rules from the Smart Groups
browser pane.
When you initially create an organization:
l
l
The Default Organization is provisioned with an All Assets Smart Rule.

The new organization is provisioned with an All Assets Smart Rule.
Create Smart Rules in the usual way. For more information, see Creating a
Smart Rule.
You can easily switch between tenants on the Smart Groups browser pane
and on the Smart Rules Manager page.
Working with Scan Credentials

You can create credentials when running a scan. However, when using the
multi-tenant feature, you can create global credentials or credentials for an
organization.
All users can see global credentials. Correct permissions are needed to see
tenant-specific credentials.
It is recommended to create credentials specific to each tenant.
In the following scenario, while XYZ Financial is the organization selected,
you can choose to create credentials only for XYZ or select the Set as Global
check box.
BeyondTrust
June 10, 2013
79
Retina CS UserGuide
Multi Tenant
For more information about credentials, see Adding Credentials.
Quick Rules
When you create a quick rule from the Vulnerabilities page or the Attack
page the rule applies to whichever organization is selected in the Smart
Groups browser pane.
When you create a quick rule from the Address Group, you can select the
organization.
When working with more than one customer, use the Organization filters to
see only assets, Retina scan agents, or Retina protection agents associated
with a particular customer.
The Organization filter is only displayed if more than one active organization
is available to the currently logged-on user.
Additionally, when managing your user groups, you can filter Smart Rules by
organization.
If you are using Multi Tenant, note the following when using the Patch
Management Module:
BeyondTrust
For each WSUS server connection, you must select an organization.
When creating a Smart Rule, the credentials displayed are only for the
selected organization.
Credentials created when you create the Smart Rule are only associated
to that organization.
The list of available WSUS servers includes all global connections plus
any specific to the organization.
June 10, 2013
80
Retina CS UserGuide
Multi Tenant
For more information, see Patch Management Module.
Mobility Connectors
You can associate an organization with any of the mobility connectors.
Select the organization when creating the connector.
For more information, see Mobility Scanning.
A workgroup is required when deploying Retina protection agents in a Multi
Tenant environment.
For more detailed information about deployment, see Deploying the
Protection Policies.
Selecting a Workgroup
For unknown assets (assets not scanned by Retina CS), you must select a
workgroup associated with the organization. Assets might be unknown when
using the settings:
Single IP address
IP range
CIDR notation
Named Hosts
For known assets (assets detected and in the Retina CS database), a

workgroup does not need to be selected. The assets are already associated
with a workgroup. Assets are known when using the settings:
Currently selected Smart Group
Currently selected Assets
Creating a Workgroup
When an organization is selected in the Smart Groups browser pane, then

you can enter a workgroup name if one is not already created for the
organization.
The workgroup name must be unique across all organizations. If you enter a
name that exists, an error message is displayed.
Note that you cannot enter a workgroup name when Global is selected in
the Smart Groups browser pane.
BeyondTrust
June 10, 2013
81
Retina CS UserGuide
Multi Tenant
Viewing the Workgroups Available
The workgroups displayed depend on the item selected in the Smart Groups
browser pane.
Global - All workgroups are displayed. The organization is in

parentheses.
Organization - Only workgroups associated with the organization are

displayed.
Key steps in setting up the organization
Create a workgroup
Create an organization
Create a User Group

Permissions: Users Accounts Management permission needed to assign
workgroups to an organization.
Every Retina scanner agent or Retina protection agent must be assigned a
workgroup. A workgroup is typically created when the agent is initially
deployed.
BeyondTrust
June 10, 2013
82
Retina CS UserGuide
Multi Tenant
You can add and delete workgroups. However, you cannot rename
workgroups.
You can only delete a workgroup if it is not associated with an organization,
mobility connector, Retina scanner or Protection agents.
Use the REM Client Configuration tool to create a workgroup.
To create the workgroup:
1. Log on to the asset where the agent resides.
2. Start the REM Client Configuration Tool.
3. Select the Enabled Application tab, and select the check box for the
agent.
4. Select the Workgroup tab and enter a name and description.
5. Click OK.
An organization is automatically populated with an All Assets Smart Group.
To create an organization and associate with a workgroup:
1. Click the Configure tab, and then click the Organizations tab.
2. Click the Create New Organization button.
3. Enter the name of the organization.
BeyondTrust
June 10, 2013
83
Retina CS UserGuide
Multi Tenant
The Active check box is selected by default and must be selected to
successfully run scans on the tenant's assets.
4. Click the Create button.
5. Scroll to the Workgroups tab.
6. Click the edit icon for the organization, and then select the organization.
7. Click the check mark to save the changes.

You can create a user group for a tenant. The users in the group can then log
on to Retina Insight and run reports. When creating the user group, ensure
that you assign the Retina Insight permission. Additionally, assign Read
permissions to the tenant's Smart Rules. The users can then run reports
based on the Smart Rules.
Creating a user group for a tenant is optional and only required if your client
wants to run reports from Retina Insight. For more information, see
Managing Users.
As a security measure, a tenant cannot log on to Retina CS.
BeyondTrust
June 10, 2013
84
Retina CS UserGuide
Managing Users
Managing Users
In this section,
Access Levels
Create user groups and user accounts so that your Retina CS administrators
can log on to Retina CS.
You can delegate Retina CS administrator responsibilities by explicitly
assigning certain Read and Write permissions to a user group. After a user
group is created, create and add user accounts to the group.

You can create a user group based on the delegation model you designed for
your Retina CS administrators.
Alternatively, you can add an Active Directory group. Members in that
group can log on to Retina CS and perform tasks based on the permissions
assigned to the group.
An Administrators user group is created by default. The permissions
assigned to the group cannot be changed. The user account you created
when you configured Retina CS is a member in the group.
For a complete list of the Read and Write permissions available, see User
Group Permissions.
When a user is added to a group, the user is assigned the permissions that are
assigned to the group.
To create a user group:
1. Select the Configure tab then select the Accounts tab.
Select the button to change the view between all users and all groups.
BeyondTrust
June 10, 2013
85
Retina CS UserGuide
Managing Users
2. To create a user group, click + in the User Groups pane.

3. Select Group or Active Directory Group from the list.
4. Enter a name and description for the user group or Forest and Domain
for Active Directory group. These fields are required.
If you select Active Directory Group, then the Select Active Directory
dialog box is displayed. If the Retina CS server is a member of a domain,
the Forest name is automatically populated. Note, however, that you
might need to click Credentials if the Retina CS application pool
identity does not have sufficient rights to query Active Directory.
If the Retina CS server is not a member of a domain, you need to set
proper credentials first (click Credentials) and then enter a valid Forest
name and click Go. Next, select a domain from the drop-down menu. A
list of Security Groups in the selected domain is displayed.
For performance reasons, a maximum of 250 groups from Active
Directory is retrieved. If the selected domain contains more than 250
security groups, you can use the Group Filter field to shorten the
displayed list. The default filter is an asterisk (*) which is a wildcard filter
that returns all groups. Some examples of other filters are:
a* (returns all group names that start with a)
*d (returns all group names that end with d)
*sql* (returns all groups that contain 'sql' in the name)
5. Select the Active check box to activate the user group. Otherwise, clear
the check box and activate later.
6. Select the permissions and access levels.
7. Select the Smart Rules and access levels to the rules.
8. Click Create.
9. Create and add user accounts.
BeyondTrust
June 10, 2013
86
Retina CS UserGuide
Managing Users

Permissions in Retina CS must be assigned cumulatively. For example, if you
want a Retina CS administrator to manage only Configuration Compliance
scans, then you must assign Read and Write for the following permissions:
Asset Management, Benchmark Compliance, Reports Management, Scan Job Management, Scan Management.
The following table provides information on the permissions that you can
assign to your user groups.
BeyondTrust
June 10, 2013
87
Retina CS UserGuide
Managing Users
Permission Name
Apply Read and Write to
Asset Management
Create Smart Rules; edit or delete on the

Asset Details window; create Active
Directory queries; create address groups
Attribute Management
Add, rename, delete attributes when

managing user groups.
Benchmark Compliance
Configure and run benchmark compliance

scans.
Credential Management
Add and change credentials when running

scans and deploying policies.
Deployment
Activate the Deploy button.
File Integrity Monitoring
Work with File Integrity rules.
Manual Range Entry
Allows the user to manually enter ranges for

Scans and Deployment rather than being
restricted to Smart Groups.
The specified ranges must be within the
selected Smart Group.
BeyondTrust
Option Management
Change the application options settings

(such as, account lockout and account
password settings).
Patch Management
Use Patch Management module.
PowerBroker for Unix &

Linux
Use the PowerBroker Servers module
Activates access to the PowerBroker for

Windows features, including PBW asset
details and the exclusions page on the
Configure tab.
Protection Policy
Management
Activate the protection policy feature.
Reports Management
Run scans, create reports, create report

category.
Retina CS Login
Access the Retina CS management console.
User groups can deploy policies, and manage

protection policies on the Configure tab.
June 10, 2013
88
Retina CS UserGuide
Managing Users
Permission Name
Apply Read and Write to
Retina Insight
Sign in to Retina Insight, generate reports,

and subscribe to reports.
After you create a user group for Retina
Insight, go to the Configure tab in Insight
and run the process daily cube job.
Data between Retina CS and the Insight
cube must be synchronized.
Scan - Audit Groups
Create, delete, update and revert Audit

Group settings.
Scan - Job Management
Activate Scan and Start Scan buttons.

Activates Abort, Resume, Pause and Delete
on the Job Details page.
Scan - Policy Manager
Activate the settings on the Edit Scan

Settings view.
Scan - Port Groups
Create, delete, update and revert Port Group

settings.
Scan Management
Delete, edit, duplicate, and rename reports

on the Manage Report Templates.
Activate New Report and New Report
Category.
Activate Update button on the Edit Scan
Settings view.
Session Monitoring
Use the Session Monitoring features.
Ticket System
View and use the ticket system.
Ticket System Management Mark a ticket as Inactive. The ticket no

longer exists when Inactive is selected.
BeyondTrust
User Accounts
Management
Add, delete, or change user groups and user

accounts.
User Audits
View audit details for Retina CS users.

Configure tab, User Audits window.
June 10, 2013
89
Retina CS UserGuide
Managing Users
Access Levels
Access Level
Description
No Access
Neither Read nor Write check boxes are selected.

Users can only view the dashboard and corresponding
views.
Read
Users can view selected areas, but cannot change

information.
Read and Write
Users can view and change information for the

selected area.
Permissions Required for Configuration Options

Configure tab option
Permission
Accounts
Everyone can access.

Users without User Account
Management permission can only
edit their user record.
BeyondTrust
Active Directory Queries
Asset Management
Address Groups
Asset Management
Attributes
Asset Management
Benchmark Management
Benchmark Compliance
Cloud Connections
Asset Management
Mobile
Asset Management
Organization
User Accounts Management
Patch Management
Patch Management
SCCM
Patch Management
Protection Policies
Everyone can access
Scan Options
Scan Management
Services
Member of the build-in RCS

Administrators group
User Audits
User Audits
Workgroups
User Accounts Management
June 10, 2013
90
Retina CS UserGuide
Managing Users

User accounts create the user identity that Retina CS uses to authenticate
and authorize access to specific system resources.
When you delete a user account or group that is assigned tickets, a dialog
box is displayed where you can reassign the ticket to another user or group.
A user account must be a member in a user group.

Checkpoint
You must create a user group before you can create a user account. For more
information, see Creating User Groups.
To create a user account:
1. Select the Configure tab, and then select the Accounts tab.
2. From the Groups/Users button select the Groups view.
3. Select a user group.

4. Click + in the Users pane.
To edit a user, select the user account. The User Details pane is
displayed.
5. Complete the First Name, Email Address, User Name, Password, and
Confirm Password. These fields are required.
Note: If you are changing the password, see Reset Retina CS Account
Password.
6. Enter the users phone numbers (optional).
7. Select an Activation Date and an Expiration Date for the user account.
8. Select the User Active check box to activate the user account.
9. Select the Account Locked check box to lock the account.
10. Select one or more user groups from the list and click Add.
11. Click Create.
BeyondTrust
June 10, 2013
91
Retina CS UserGuide
Managing Users
Later, after you create a user, you can change the group membership. Change
the view to the Users view. Select a user account and change the group
membership.

You can change the password for a Retina CS user account.
To reset a user password:
1. Select the Configure tab then select the Accounts tab.
2.
3.
4.
5.
Select the user name from the Users pane.

Click Reset Password.
Enter the new password.
Click Update.

You can track the activities of your Retina CS administrators.
You can review:
Logon and log off times
IP address where the admin logged on from
Any actions taken. For example, configure user settings.
If there are a lot of audit activities, you can use the search feature to display
only those that are relevant. You can also configure display preferences and
filters to refine the information displayed. For more information, see
Changing the Display.
BeyondTrust
June 10, 2013
92
Retina CS UserGuide
Managing Users
The following example shows that the Administrator added and then
removed an address group.
Adding Credentials
You can create the following credential types:
SSH. See Creating an SSH Credential.
Windows
MySQL
Microsoft SQL Server
Oracle. See Creating Oracle Credentials.
Retina scanner agent version 5.14 (or later) is required to support this
feature.
To add a credential:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. Select a credential type from the list: Any, Windows, MySQL, MS SQL
Server.
4. Enter the user account information: domain, user name, password, and
key.
5. If you are creating Microsoft SQL Server credentials, select the
authentication type.
6. If you are creating more than one credential, you can use the same
confirmation key for all credentials. Select the Use the same key for all
check box, and then enter the key.
7. Click Save.
Creating an SSH Credential
You can create Public Key Encryption credentials to connect to SSHconfigured targets. You can select a credential that contains a public/private
key pair used for SSH connections.
DSA and RSA key formats are supported.
BeyondTrust
June 10, 2013
93
Retina CS UserGuide
Managing Users
Optionally, when configuring SSH, you can select to elevate the credential:
Use sudo. Using sudo, you can access scan targets that are not
configured to allow root accounts to log on remotely. You can log on as
a normal user and sudo to a more privileged account. Additionally, you
can use sudo to elevate the same account to get more permissions.
Use pbrun. Using pbrun, you can elevate the credential when working
with PowerBroker Servers for Unix & Linux target assets.
To create an SSH credential:

2. Click Add.
3. From the Type list, select SSH.
4. Enter a description and user name.
5. Select an authentication type from the list:
Password - Enter a password.
Public Key - Enter the private key file name and passphrase. Click
Browse to navigate to the file.
A public key is generated based on the contents of the private key.
6. Enter a description and key.

7. To elevate credentials, select one of the following from the Elevation
list:
Elevating credentials is optional.
sudo Enter a sudo user name and password. You can use the user
name provided in the Username box and leave the sudo username
blank.
pbrun Enter the pbrunuser user name.
8. Click Save.
Creating Oracle Credentials
If you are scanning Oracle databases, you can create Oracle credentials.
The tsanames.ora file is updated automatically after you create an Oracle
credential.
To create Oracle credentials:
2. Click Add.
3. From the Type list, select Oracle.
4. Provide a user name, description, and password.
BeyondTrust
June 10, 2013
94
Retina CS UserGuide
Managing Users
5. Select an access level from the list: Standard, SYSDBA, or SYSOPER.
6. Select additional connection options:
Connect To - Select from: Database SID, Named Service.
Database SID - Enter the database SID.
Protocol - Select a protocol: TCP, TCPS, NMP.
Host - Enter the host name where the Oracle database resides.
Port Number - Enter a port number.
7. Enter a key.
8. Click Save.
Adding Credentials for Active Directory Access
You can add credentials to access a particular Active Directory domain. Add
credentials for each forest/domain combination.
To add Active Directory credentials:
1. Click the Configure tab then select the Accounts tab.
2.
3.
4.
5.
Click + and select Active Directory Group.

Click Credentials.
Click Add.
Enter the forest name, domain name, user name, and password.
Enter the user name using the format: <domain name>\user name.
Otherwise, the domain you enter in the Domain box is used.
6. Click Test.
Success is displayed when the credentials provided can successfully
contact the domain.
7. Click OK.
BeyondTrust
June 10, 2013
95
Retina CS UserGuide

In this section,
Auto Update Options
Display Options
Email Notification Options
Maintenance Options
Proxy Settings
Refresh Settings

You can set lockout options, such as lockout threshold and duration.
To set account lockout parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Lockout
Options.
3. Set the following account lockout options:
Account Lockout Duration - Sets the number of minutes the user
is locked out.
Account Lockout Threshold - Sets the number of times a user can

try their password before the account is locked out.
Account Lockout Reset Interval - Sets the number of

unsuccessful password entry attempts before generating a reset
notification.
Unlock Account upon Password Reset Notification - Select the

Yes check box to email a new password and unlock the account
when Forgot Your Password is selected.
If not selected, an email is sent with a new password but the account
is not unlocked.
4. Click Update.
BeyondTrust
June 10, 2013
96
Retina CS UserGuide

You can set account password parameters, such as a complexity requirement
and password length.
To set account password parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Password
Options.
3. Set the following password options:
Password Must Meet Complexity Req. - Requires users to adhere
to complex password rules when creating a password.
Enforce Password History - Enter the number of passwords a user

must create before an old password can be reused.
Enter 0 to not enforce a password history. There are no restrictions
on using past passwords when 0 is entered.
Minimum Password Length - Enter the minimum number of

characters for the password.
Maximum Password Age - Enter the maximum number of days

before a password must be changed.
Minimum Password Age - Enter the minimum number of days

that a password must be used before it can be changed.
4. Click Update.
Auto Update Options

Retina CS contacts the Update Server to retrieve the latest product and audit
updates. Downloading updates ensures your assets are secure against the
latest vulnerabilities.
By default, Auto Update is turned on.
To activate Auto Update:
1. Select Options.
2. On the Application Options dialog box, expand Auto-Update Options.
3. Select the Yes check box.
4. Click Update.
BeyondTrust
June 10, 2013
97
Retina CS UserGuide
Display Options
You can turn on auto-expansion and set the number of items to display per
page.
To set display options:
1. Select Options.
2. On the Application Options dialog box, expand Display Options.
3. Select the Yes check box to open the report in a new window.
This feature is available only with reporting on existing data.
4. Enter the number of items to display per page.
5. Select the Yes check box to turn on auto-expansion.
6. Click Update.
Email Notifications
The email notification sends an email when an error occurs while running
reports.
The email address is stored in the Retina CS database.
Note: Email settings are initially set in the Retina CS configuration tool.
Ensure that you use the same information here.
To add an email address for notification:
1. Select Options.
2. On the Application Options dialog box, expand Email Notification
Options.
3. Enter an email address in the From Email Address box.
4. Verify the SMTP server name and port.
5. Enter the username and password.
6. Click Update.
Maintenance Options
You can remove collected data from the Retina CS database. Configure the
number of days to retain data.
Not all maintenance options are supported in Retina CS
Community.
To specify the maintenance options:
1. Select Options.
2. On the Application Options dialog box, expand Maintenance Options.
3. Enter the number of days that pass before data is purged.
BeyondTrust
June 10, 2013
98
Retina CS UserGuide
Purge General Events Older Than - Purges the raw information

sent by the protection agents and Retina agents. The default number
of days is 7.
Purge Vulnerabilities Older Than - The vulnerabilities are

displayed in the Vulnerabilities module until fixed or purged.
Recommended: 90 days. However, this can vary for different
environments. Once the data is purged, the vulnerabilities are
removed from the database.
Purge Attacks Older Than - Attacks are discovered by the

protection agent.
Recommended: 90 days.
Purge Assets Older Than - This covers assets that were

discovered once, but are never discovered again (the asset might be
inactive or removed). Recommended: 30 days.
Purge Audit Data Older Than - Purges audit data.
Purge Retina Agent Jobs every N days - Purges jobs. The default
value is every 30 days.
Enter 0 if you do not want to purge the jobs.
BeyondTrust
Purge Chart Data Older Than - Purges chart data. The default
value is 90 days.
Purge Application Events Older Than - Purges the application

events sent by the protection agent and Retina agents. The default
value is 7.
Purge Application Log Files Older Than - Purges the raw

information sent by the protection agents. The default value is 30.
Purge Asset Attributes Older Than - Purges the raw information

sent by the protection agents and Retina agents. Recommended: 7
days.
Purge Scans Older Than - Purges the raw information sent by the
protection agents and Retina agents. Recommended: 7 days.
Purge Scans Events Older Than - Purges the raw information

sent by the protection agents and Retina agents. Recommended: 7
days.
Purge Attack Events Older Than - Purges the raw information

sent by the protection agents. Recommended: 7 days.
Purge Windows Events Older Than - Purges the information sent

by the protection agents. The default value is 90 days.
June 10, 2013
99
Retina CS UserGuide
Purge Closed Tickets Older Than - Enter the number of days

before closed or inactive tickets are deleted.
The calculation for purging ensures the ticket is closed and uses the
date the ticket was last updated, not the due date.
For example, a ticket has a due date 60 days in the future but the
ticket was closed and not edited for over a week. If the purge setting
is set to 7, then the ticket is purged even though the due date is in
the future.
Server Localization - en-US. Reserved for future use.
Purge PBW Events Older Than - Purges the PowerBroker for

Windows events.
Purge PBUL Events Older Than - Purges the events sent by

PowerBroker Servers.
Purge FIM Events Older Than - Purges the File Integrity events
captured by PowerBroker for Windows.
4. Click Update.
Proxy Settings
You can configure a proxy server if the Retina CS server does not have
direct Internet access.
To set up a proxy server:
1. Select Options.
2. On the Application Options dialog box, expand Proxy Settings.
3. Select the Yes check box.
4. In the Address box, enter the IP address or domain name of the proxy
server.
5. Enter the user name and password for the proxy server.
6. To override any local proxies, select the Yes check box.
7. Click Update.
Refresh Settings
You can set refresh intervals for scan jobs and Smart Rules.
Scans can run more efficiently when Smart Rules are set to refresh at longer
intervals.
To set refresh settings:
1. Select Options.
2. On the Application Options dialog box, expand Refresh Settings.
BeyondTrust
June 10, 2013
100
Retina CS UserGuide
Maximum job refresh frequency (minutes) - Retina CS jobs are

refreshed at the interval entered here. When the refresh occurs,
updates to schedules, scanners, and Smart Rules will be updated for
the job.
The default value is 360 minutes (6 hours).
Maximum Smart Rule Refresh Frequency for asset updates

(minutes) - Set the number of minutes for the refresh interval for
Smart Rules.
Asset changes (assets added or removed from the Smart Rule) that
occur between the refresh interval are reflected in the rule.
The default value is 60 minutes.
BeyondTrust
June 10, 2013
101
Retina CS UserGuide
Maintenance
Maintenance
Diagnostics
Monitoring Services

You can review details about your deployed Retina scanners and protection
agents.
Use the Agent Details page to determine if scanners or agents are out of
date.
To view asset details:
2. Select Agents.
3. Click the i button to review additional information.
The Agent Details page displays the following: IP address, computer
name, OS, workgroup, domain, and agent name and versions.
Note that you can change viewing preferences for the Agents page. You
can select preferences and create filters to determine the list of agents
and scanners that are displayed. For more information, see Changing the
Display.

A Retina scanner agent might lose connectivity to Central Policy. You can
determine connectivity in the following places:
BeyondTrust
When you are setting up a scan, there is a warning icon next to an agent
name.
June 10, 2013
102
Retina CS UserGuide
Maintenance
On the Agents page for Vulnerability Scanners, there is a warning icon in

the Retina Last Updated column.
The agent might not be able to accept the job request.

Ensure the computer hosting the Retina agent is online.

Clean Retina CS records for scheduled, queued, and completed jobs.
Ensure your Retina CS administrators are assigned the Scan Management
permission. For more information, see Creating User Groups.
To clean Retina agent files:
1. Select the Assets tab, and then select the Agents tab.
2. Select the agent in the list, and then click i.
3. Click Agent Maintenance.
Clean Retina Files - Deletes files from the following directory:
C:\Program Files (x86)\eEye Digital Security\Retina 5\Scans
Clean RCS Files - Removes all jobs for the selected agent,
including scheduled, queued, and completed jobs.
Reschedule existing scheduled jobs - When the Clean RCS Files

check box is selected, you can select this check box to reschedule
jobs automatically.
4. Click OK to save the settings.

5. Click Reset Engine to restart the Retina CS services.
BeyondTrust
June 10, 2013
103
Retina CS UserGuide
Maintenance

You can configure a backup agent to provide redundancy in case an agent
fails.
To configure a failover agent:
1. Click the Assets tab.
2. Expand Agents and Scanners, and then click Vulnerability Scanners.
3. Click the Agents tab.
4. Select an agent, and then click i.
5. On the Agent Details pane, click Configure Failover Agent.

6. Select an agent. The Failover Agent field displays the name of the agent
that you select.
7. Click OK.
You can configure a failover agent timeout on the Configure tab. The default
timeout is 15 minutes.

Create a support package that can be used by Beyond Trust Technical
Support. The package includes,
BeyondTrust
All logs in the Retina CS Logs folder.
Storage size statistics on the Retina CS database.
June 10, 2013
104
Retina CS UserGuide
Maintenance
Certain database tables that contain information on Retina Protection

agents and Retina scanner agents and their jobs.
To generate the package:

1. Select Help > Generate Support Package.
2. Click Generate Support Package.
3. Click Save File.
4. Save the .zip file and email to your Technical Support representative.
BeyondTrust
June 10, 2013
105
Retina CS UserGuide
Maintenance
Diagnostics
In this section,
Monitoring Services
Monitoring Services
On the Services page, you can:
Turn on debug logging
View the log files
See the status of the service (Running, Stopped, Paused)
Change credentials for the service
To review Retina CS services:

1. Select the Configure tab.
2. Select the Services tab.
3. Click View to open and review details in the log.

4. Click Email to send the log to selected email addresses.
To turn on debug logging:
3. To turn on debug logging, click Enable Debug Logging.
All Retina CS services are restarted if you turn on debug logging.
BeyondTrust
June 10, 2013
106
Retina CS UserGuide
Maintenance
Turn off debug logging after you finish troubleshooting Retina CS to
improve performance.
To change the credentials for the service:
3. Click the button as shown:
4. Enter the credentials, and then click OK.
BeyondTrust
June 10, 2013
107
Retina CS UserGuide

PasswordSafe
BeyondTrust
June 10, 2013
108
Retina CS UserGuide

Discovery Scanning
Discovery Assets Manually
Timeout Values
Event Routing
Scanner Pooling
BeyondTrust
June 10, 2013
109
Retina CS UserGuide
Discovery Scanning
Run a discovery scan to locate network assets, such as workstations, routers,
laptops, and printers. A discovery scan also determines if an IP address is
active.
You can periodically repeat the discovery scans to verify the status of
devices and programs and the delta between the current and previous scan.
Note that discovered assets do not count toward your license.
You run a discovery scan in the same way as a vulnerability scan. See
Running a Vulnerability Scan for a step-by-step procedure.
Review the following recommended Discovery scan settings:
On the Set Scan Options page, setting credentials is not required.

Typically, setting credentials for other types of scan templates is
recommended. However, for a discovery scan, you want to ensure that
all types of systems are detected and credentials are not necessary.
After assets are detected, you can run audit scans using credentials to
ensure more thorough scan results.
On the Scan Policy Options page, here are some recommended settings:
Perform OS
Detection
Select this check box.
Perform
Traceroute
Enumerate *
Clear all enumerate check boxes.
Randomize Target
List
Change the settings on the Edit Scan Settings page. See Configuring Scan
Settings.
Discovery ports. The default TCP discovery port list: 21,22,23,25,80,

110,139,443,445,554,1433,3389
Use more than one scanner to distribute the coverage across the network.
BeyondTrust
June 10, 2013
110
Retina CS UserGuide

You can discover assets when the Smart Group filter is an address group,
Active Directory query, or Cloud connector.
Any assets online since the Smart Group was last processed are detected
when the Use to discover new check box is selected.
The scan results on the Assets page reflects the number of assets found.
If you create an address group that includes /19 CIDR block, that
range includes 8190 potential assets (the discovery scan will
always try to discover that many assets). Keep this in mind when
you are reviewing scan results.
Key steps:
Create an address group or Active Directory query that includes the IP

address range or domain. See the step-by-step procedures: Creating an
Active Directory Query or Creating an Address Group.
Alternatively, you can create the address group or query on-the-fly when
you are creating the Smart Group.
Create a Smart Group that includes the address group or query as the
filter. Ensure the discover assets check box is selected.
Note that you can use the Discover New assets check box on any scan.
However, the scan is slower when this option is selected.
It is recommended that you run a discovery scan at a regular interval (for
example, monthly or weekly schedule). Full vulnerability scans can then run
only on known targets.
Discovering Assets Manually

You can discover assets manually by entering a host name, IP address or
address range when running a discovery scan.
BeyondTrust
June 10, 2013
111
Retina CS UserGuide

Before setting up your scan settings, ensure the following is in place:
When you run a scan in Retina CS, you must select a report template to
determine the scope of the scanning. For a complete list of report
templates, see Reports Templates and Audit Groups.
Determine the assets to include in the scan. For example, you can create
Smart Groups, enter IP address ranges, or list named hosts.
Note that on the Assets page, you can individually select the assets to scan.
Tip: Ad hoc Scanning

You can enter any combination of IP address, IP address
range, and CIDR notation in the Named Hosts box. Separate
the entries using a comma.
For example, 10.10.10.20, 10.10.10.4-10.10.10.8,
192.168.1.0/24
Note, however, if an IP address is invalid no error message
indicates the address is invalid and will not be scanned.
To run a scan:
1. Select the Dashboard tab and click Assess; or select the Assets tab
and click Scan.
2. Select a report and click Scan.
3. Expand Scan and select one of the following:
Currently selected Smart Group, Currently selected Assets, a Single IP,
an IP Range, a CIDR Notation, or Named Hosts for the assets selected.
You can enter more than one named host. Separate the entries using a
comma.
If you select Currently selected assets and select a schedule other
than Immediate, then Retina CS automatically updates the scheduled job
on the agent with the list of assets in the selected Smart Group as they
change.
BeyondTrust
June 10, 2013
112
Retina CS UserGuide

4. Benchmark scans only. Expand Benchmark Compliance Profile and
select a scan profile.
5. Expand Credentials Management and enter the credentials.
Click Test Credential to ensure the correct credentials are entered. You
can use Active Directory credentials or Retina CS web server
credentials. The test only applies to Windows credentials. Note that the
test is not to ensure access to target assets.
You can store credentials to reuse later. For more information, see
Adding Credentials.
a.
b.
c.
d.
To add credentials, click the pencil.

Click Add.
Enter the password, description, and key.
If you are creating more than one credential, you can use
the same confirmation key for all credentials. Select the
Use the same key for all check box, and then enter the
key.
e. Click Save.
f. Select the new credential and click OK.
6. Expand Report Delivery to select the report delivery options.

Export type - Select a report format: PDF, DOC, XLS, NONE.
The export types available depend on the report selected.
Do not create a report for this vulnerability scan - Select this

option if you want to only scan and collect the results. No report will
be generated.
Notify when complete - Select the check box and enter email
addresses. Separate entries using a comma.
Email notification is sent when the scan and report are complete.
Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
The report will be emailed to the users entered.
7. Expand Advanced to select the agent to run the scan.

Job Name - Type a job name. Otherwise, the default job name is
used.
BeyondTrust
Agent - Select the computer where the scan engine resides.
June 10, 2013
113
Retina CS UserGuide
Use job-specific Scan Restrictions - Select the check box to

display a scheduling grid. Click the squares to set the restricted time
frame. Scans will not run during those times.
If scans are scheduled to run during a scan restriction, the scan can
be aborted when the restriction window starts. Select the check box
to apply this setting.
For more information, see Setting Restrictions on Scan Times.
Benchmark Scans only.Store OVAL Test in database - Select the

check box to store OVAL test results to the Retina CS database.
8. Expand Schedule to select a schedule:

Note: If the server and client computers are located in different time
zones, the scan runs during the server time zone. This applies to
one-time scans and recurring schedules.
Immediate - Select to run the job now.
One Time - Select to schedule jobs to run one time. Select the start
time and date.
Recurring - Select one of the following:
Daily schedules jobs for weekdays, or every x number of days.

Enter the number of days.
Weekly schedules jobs every week selected (1-52), starting on

the day of the week selected.
Monthly schedules jobs for the day of the month selected for
every month selected. Options include the
first/second/third/fourth and last day of the month selected.
You can delete or change the recurring scan job later on the Jobs
page. See Managing Jobs.
9. Select Abort the scan if it takes longer than and enter the time in
minutes to restrict the length of time the scan runs.
10. Click Start Scan.
11. Click Show Status to view the progress of the scan. You can also view
the progress on the dashboard or through the Jobs page.
BeyondTrust
June 10, 2013
114
Retina CS UserGuide

After you run vulnerability scans you can review the results to determine the
assets that are vulnerable and require remediation.
You can view vulnerabilities that can be exploited. For any vulnerability with
a CVE-ID, exploit information associated with the CVE-ID is also
displayed. In some cases, exploits are displayed that are not associated with a
CVE-ID.
The Microsoft Exploitability Index is also included in the Exploits
information. The index values correspond to the values that are provided in
security bulletins issued from Microsoft. For more information on
interpreting the index values, refer to Microsoft documentation.
You can set display preferences and create filters to change the information
displayed on the Vulnerabilities page. For more information, see Changing
the Display.
To review the results:
2. Select Vulnerabilities.
Click
and
to expand the vulnerabilities pane.
You can create Smart Rules based on vulnerabilities. Using this tool can
provide additional filtering selected assets.
3. Click i to view more information about a vulnerability.

4. On the Vulnerabilities Details pane, select the following to review more
information:
Exploit Count - The number indicates the exploits on the
vulnerability.
Click the button to review the database, module, and module URL.
BeyondTrust
Assets - The number indicates the assets affected by the

vulnerability.
June 10, 2013
115
Retina CS UserGuide

Click the button to expand the details pane and review the asset
information.
References - The number indicates the available resources for

remediation of the vulnerability.
Click the button to expand the details pane. Select a web site to find
out more information on the vulnerability.
Patches - The number indicates the patches that can fix the
vulnerability.
Click the button to review more information about the patches.
For more information, see Managing Patch Updates.
STIGs - The number indicates the STIGs associated with the

vulnerability.
Click i to open the STIG Details window. You can review the
following information: MACs, IA Controls, References, Systems
Affected.
More Information - Click to open the Vulnerability Details window

to view a description of the vulnerability, solution, PCI severity,
references, and CVSS score.
You can also set or remove an exclusion property on the
vulnerability. For more information, see Excluding Vulnerabilities.

After you run a scan, you can organize assets linked to a specific
vulnerability, attack, or malware by creating a Quick Rule.
In the Attacks, Vulnerabilities, or Malware view, you can click the arrow to
create a Quick Rule that instantly creates a grouping of assets in the Smart
Groups pane.
BeyondTrust
June 10, 2013
116
Retina CS UserGuide
You can exclude vulnerabilities from the display and only view those that
require remediation to satisfy regulatory compliance.
Depending on your environment, accepted vulnerabilities (a false positive)
might be reported in the scan. For example, if Anonymous FTP is
configured on your network, vulnerabilities will be reported in your scan
results. Since this type of vulnerability does not require remediation (patch
or compliance updates), you can ignore these scan results.
Records for exclusions reside in the database. During an audit, you can
remove the exclusion on the record.
You can run the Vulnerability Exclusions report to keep track of the
exclusions. The report includes the reason for the exclusion and the expiry
date.
Note: Vulnerability exclusions do not apply to the parent Smart Group
when the exclusion is set at a child Smart Group.
To set or remove the exclusion property on a vulnerability:
2. Select the Vulnerabilities tab.
BeyondTrust
June 10, 2013
117
Retina CS UserGuide
3. Click the Exclusions check box for a vulnerability.

4. On the Manage Vulnerability Exclusion dialog box, select the options:
Action - Select to set or remove the exclusion.
Exclude Vulnerability - Select the Smart Group where you want to

apply the exclusion.
You can also select Globally. The exclusion applies to all assets.
Reason/Note - Provide a detailed description on why the

vulnerability is excluded.
For example, you might want to note that the vulnerability is an
accepted false positive.
The reason is required and is displayed in the Vulnerability
Exclusions report to help you keep track of the exclusions.
Expiration Date - Select the expiration date on the exclusion.
5. Click Save.
Malware Toolkit Vulnerabilities

A malware toolkit can be detected if there is one associated with a
vulnerability.
To see if a vulnerability belongs to a malware toolkit:
2. Select the Vulnerabilities tab.
3. Select a vulnerability and click the i.
BeyondTrust
June 10, 2013
118
Retina CS UserGuide

A red T indicates that the vulnerability is associated with a malware
toolkit.
4. Click View Toolkits.
Review more information about the malware toolkit and the recommended
mitigation action.
You can remediate vulnerabilities by viewing solutions on the Vulnerability
Details page.
You can use the ticket system to assign a vulnerability or attack to a member
of your security team. See Working with Tickets.
1. Select the Assets tab, and then click Vulnerabilities.
2. Click i for a vulnerability.
A description and solution are displayed.
The Mitigation column provides information on action to take to remediate
the vulnerability.

Depending on your security plan, you might want to change CVSS scores.
Changing the score indicates to your security team the urgency to remediate
a vulnerability.
BeyondTrust
June 10, 2013
119
Retina CS UserGuide

You can change the base and temporal values to change the CVSS score
(depending on the weight of the vulnerability and the urgent nature to
remediate the vulnerability).
You can configure:
Environmental scores using the Smart Rules Manager.
Base and temporal scores using the Vulnerability Details page.
You must be familiar with CVSS scoring definitions and concepts. Refer to
the CVSS Scoring Guide.
The environmental metrics are based on your security plans. Determine the
level of impact a vulnerability has on your assets and assign environmental
metrics accordingly.
You can create a Smart Group that includes the assets where you want to
assign the environmental metrics.
To set the environmental metrics on assets:
3. Click New Rule.
4. Enter a name and description, and set the Smart Rule criteria that
determines the scope of the assets.
5. In the Perform Actions area, select Set Environmental CVSS Metrics.
6. Select the metrics from the corresponding lists.
7. Click Save.
Later when you edit the Smart Group, the Show asset as Smart Group list is
also displayed, as shown:

After you create a Smart Group that contains the assets with the preferred
environmental metrics, you can update CVSS scores on the Vulnerabilities
page.
BeyondTrust
June 10, 2013
120
Retina CS UserGuide

To change the CVSS metrics for a vulnerability:
2. Select the Smart Group with the environment metrics configured.
3. Click Vulnerabilities.
4. Select a vulnerability, and then click i.

5. Click the pencil.
6. Change the base and temporal values.

The CVSS score and CVSS vector change as you change the base and
temporal metrics.
Click the vector link to go to the National Vulnerability Database CVSS
v.2 Calculator web site.
7. Click Save.
BeyondTrust
June 10, 2013
121
Retina CS UserGuide
Reviewing Asset Risks on the Network Map

On the network map you can review the assets at risk in your environment.
The network map requires Sun Java 5.0 SE Update (or later) to display
correctly.
To review assets using the network map:
2. Click Map.
The network map might disappear when you select other menu items or
options on the window. Click Home to display the network map again.
3. Click the nodes on the map.
4. Hover on the items to display vulnerability information.
5. To filter the information displayed in the network map, select a Smart
Group and view only those vulnerabilities you are interested in.
BeyondTrust
June 10, 2013
122
Retina CS UserGuide

You can configure Retina scan options to improve performance and
reliability.
The number of scan targets can affect server performance and scan quality.
The result is an unresponsive or slow server or poor scan quality, such as
known services not being found or known open ports not being identified.
To improve performance, you can:
Reduce the number of targets
Adjust the scan speed downward
Override the TCP connection limit to increase the scan speed
If you override the TCP connection limit, the TCP incomplete connections
limits are removed for all applications during the scan.
Timeout Values
Configure ping and data timeout values to compensate for network latency.
If pings are not returning in time for Retina to detect them, increase the ping
timeout value.
To configure scan options:
2. Click the Scan Options tab.
3. Click the Scanner tab.
4. In the Performance area, configure the following settings:
Number of Simultaneous scan targets - Set the number of
targets to scan simultaneously.
The maximum is 128 targets.
Adaptive Scan Speed - Set the delay between bursts of packets

sent during a SYN scan.
1 = longest delay
5 = almost no delay
BeyondTrust
Enable TCP connection limit override - Select the check box to

override the TCP connection limit.
June 10, 2013
123
Retina CS UserGuide

Note: The TCP Connection Limit Override is available on
Windows XP SP2 and later and Windows 2003 SP1 only.
This is not available for Windows NT or Windows 2000.
5. In the Reliability area, configure the following settings:
Ping Timeout - Enter the number of seconds.
Data Timeout - If the Retina agent is not receiving complete data

from assets or hosts when services are under heavy load, increase the
timeout value.
6. Click Save.
Event Routing
Turn on event logging to send scan data to Retina CS, including:
Port information
Services
General scan information
To turn on event routing:

2.
3.
4.
5.
Click the Scan Options tab.

Click the Event Routing tab.
Select the Enable Event Logging check box.
Select the risk level of the audits to include in routing to Retina CS.
Audits include a risk level that corresponds to the severity of the
vulnerability detected.
Information - Details host information that does not necessarily

represent a security threat, but can be useful to the administrator to
assess the security.
Low - Defines risks associated with specific or unlikely

circumstances.
Medium - Describes serious security threats that would allow a

trusted but non-privileged user to gain access to sensitive
information.
High - Indicates vulnerabilities that severely impact the overall

safety and usability of the network.
6. Click Save.
BeyondTrust
June 10, 2013
124
Retina CS UserGuide

You can set a scan restriction so that scans will not run during the restricted
time frame.
Apply scan restrictions on:
One scan only. Configure the restricted scan time when you are
configuring the scan.
Global. Configure the restricted scan time on the Configure tab.
To set a scan restriction on all scans:

2. Select the Scan Options tab.
3. From the Agent list, select an agent or select Global.
If you select an agent, you might want to override scan restrictions
already set for that agent. Select the Use Global Scan Restrictions
check box to apply the global settings.
4. Click the squares to set the restricted time frame.
5. Select the Abort in progress scans check box to stop all scans that are
running when the scan restriction window starts, otherwise running
scans are paused and then resume when the scan restriction ends.

To configure general scan options:
2.
3.
4.
5.
BeyondTrust
Click the Scan Options tab.

Click the General tab.
To turn on logging, select the logging check box.
To automatically check for updates, configure the following settings:
Check for updates to a schedule - Select a start time and
frequency.
June 10, 2013
125
Retina CS UserGuide
Check for updates when launching Retina - Select the check box
to check for updates when you start Retina.
Number of seconds to prompt before launching - Enter the

number of seconds to wait before starting the updater.
6. Set a timeout value for a failover agent. To configure a failover agent, see
Configuring a Failover Agent.
7. Set maintenance options to purge Retina information.
8. Set the minutes that pass before Retina checks for updates from the
Central Policy server. The default value is 15 minutes.
9. Click Save.
BeyondTrust
June 10, 2013
126
Retina CS UserGuide
Scanner Pooling
You can use scanner pooling to select more than one scanner agent when
scanning a large number of assets. When more than one scanner is selected
for a scan job, the list of target assets is divided among the selected scanners
in a round-robin style, evenly distributing the target scan range.
To use scanner pooling, select more than one scan agent when running a
scan, or use the "Set Scanner" action in a Smart Rule to lock a set of
scanners to that Smart Group.
Note that when using scanner pooling, you cannot automatically generate a
report when a scan finishes.
To lock a scanner agent to a Smart Group:

1. Select the Assets tab, and then click Manage Smart Rules.
2.
3.
4.
5.
Click New Rule.

Enter a name and description.
From the Perform Actions area, select Show asset as Smart Group.
Click the +, and then select Set Scanner.
6. Click the browse button to select the scanners to associate with the
Smart Group.
7. Select the distribution algorithm.

Round Robin Asset Distribution - Targets are assigned to scanners
one-by-one. This method balances the distribution of scan targets.
BeyondTrust
June 10, 2013
127
Retina CS UserGuide
Rule Locked Asset Distribution - The Rule Locked distribution

algorithm is designed and recommended for multiple scanner jobs
where child Smart Rules are defined in a parent Smart Rule.
Each child Smart Rule will always use the scanner assigned in the
child Smart Rule when this distribution algorithm is used.
This ensures that scanners assigned in child Smart Rules will not
scan across other child targets.
8. Click Save.
Note that on the Job Details page, the agent name indicates if the scanner is
part of a pool.
BeyondTrust
June 10, 2013
128
Retina CS UserGuide

Using Retina CS and PowerBroker for Windows together, you can:
Collect privilege-related event log data from assets.

This data includes information about the applications being used, the
privileges they require, and how they are launched, and information
about which users have administrator privileges.
Deploy PowerBroker for Windows policies to your assets.

Create your PowerBroker for Windows rules and policies as usual using
PowerBroker for Windows. Upload the policies to Retina CS and using
the Central Policy technology, deploy the rules to your managed assets.
Create File Integrity rules in PowerBroker for Windows and manage the
results in Retina CS.
Sort and filter data into useful reports and generate PowerBroker rules
for applications based on user needs for privilege elevation. This is a best
practice approach for discovering applications and the construction of
quick and concise rules for any user or computer.
Configure Session Monitoring in PowerBroker for Windows and review

the events in the Retina CS console.
Note: Before you can use the Application Discovery functions of

PowerBroker to create rules, install Retina CS on a compatible host
with the proper prerequisites or install an appliance with the solution
from BeyondTrust.
For more information about the PowerBroker reports available in Retina CS,
see PowerBroker for Windows Reports.
Overview
PowerBroker for Windows (PBW) is designed to integrate directly

into your corporate Active Directory (AD) structure without
modifying your existing schema.
An administrator loads a Group Policy Option (GPO) snap-in onto
an asset that uses the Microsoft Management Console (MMC).
BeyondTrust
An administrator can then create policies and rules that are stored in
the AD domain.
June 10, 2013
129
Retina CS UserGuide
An administrator can also access the Retina CS management console

through a web interface to run reports or create additional rules
based on collected events from the environment.
As domain assets log on (servers, workstations, or remote clients
labeled 4) they receive policy from the domain controller that is
processed by the PBWagent.
The PBWagent is installed on each device and can be distributed

through a software delivery solution or even through GPO. This
enforces privilege identity management rules on the endpoint and
sends status events back to Retina CS for additional reporting,
trending, and rule creation.

You can create a Smart Group to organize your PowerBroker assets. You can
set filters based on the PowerBroker client, Windows events, and
PowerBroker Windows events.
BeyondTrust
June 10, 2013
130
Retina CS UserGuide
For detailed instructions on Smart Groups, see Working with Smart Rules.
Creating PowerBroker Rules

You can create rules after event data is collected from PowerBroker for
Windows.
For more detailed information about rules, refer to the PowerBroker for
Windows product documentation.
The rule types that you can create from Retina CS include, Active X, Hash,
Path, Publisher, MSI. Exclusions rules can also be created.
To create a PowerBroker for Windows rule:
1. On the Retina CS console, select the Assets tab, and then click the
PowerBroker tab.
2. Click the arrow for the events and select the rule type.
Note: There are two ways that you can view events: Rollup and All.
The Rollup view displays all events grouped by Message,
Application/ActiveX, Path, Publisher, EventType, RuleType,
then Hash. In the Rollup view you can select more than one
event. In the All view, select one event at a time.
The PowerBroker Rule XML dialog box is displayed.

3. Copy the XML code to the collection in the PowerBroker for Windows
GPMC snap-in.
BeyondTrust
June 10, 2013
131
Retina CS UserGuide
BeyondTrust
June 10, 2013
132
Retina CS UserGuide
Including Arguments in a Rule

When you are creating a rule you can include arguments. Select the Yes
check box on the Application Options dialog box.
Arguments can be included when creating the following rule types: Path,
hash, .msi.
Creating rules for a denied application (28698) will include arguments when
the check box is selected.
Marking Events to Exclude

You can exclude events from rules. For example, you might want to exclude
certain applications that are flagged as requiring administrative privileges.
To exclude events:
1. On the Retina CS management console, click the Configure tab, and
then click Exclusions.
2. Select an existing exclusion or click + to create an exclusion.
3. Select the exclusion type:
Admin rights Exclude all events that match the path for the
exclusion you chose. Retina CS provides a predefined list of these
exclusions. This list contains applications that are commonly
incorrectly detected as requiring administrative privileges.
Any exclusion path with a * will recurse directories. For example,
c:\windows\system32\* will exclude any exes in system32 and any
executables in a subdirectory of system32.
BeyondTrust
June 10, 2013
133
Retina CS UserGuide

You must provide the full path. For example,
C:\Windows\HelpPane.exe
Application Exclusion Excludes all events that match the

application you are excluding.
You must provide the application name only. For example,
HelpPane.exe
Publisher Exclusion Excludes all events that have the same

publisher value.
You must follow the format: "O=Microsoft Corporation,
L=Redmond,S=Washington,C=US"
4. Click Save.
Deploying and Managing Policies Using Retina CS

You can configure PowerBroker for Windows to use Central Policy to
deploy policies through Retina CS rather than using GPMC.
During the installation of PowerBroker for Windows, you can choose to
deploy policies using Central Policy. Ensure the following Central Policy
setting is selected:
BeyondTrust
June 10, 2013
134
Retina CS UserGuide

For more information about deploying PowerBroker for Windows, refer to
the PowerBroker for Windows Installation Guide.
Deploying Policies
Create your rules and policies in PowerBroker for Windows as usual.
Create Smart Rules to determine the assets where the policies need to be
deployed.
To use Retina CS to deploy PowerBroker for Windows policies:
1. Log on to Retina CS, and then go to the Smart Rules Manager.
2. Select the PowerBroker for Windows assets and the policy that you want
to deploy.
3. Click Save.
Reviewing Policies
You can review the list of policies available from PowerBroker for Windows
on the Configure tab.
Session Monitoring
You can track the following events:
Keystroke logging
Mouse events
Process events
Screen captures
The events are configured in PowerBroker for Windows. For more

information on configuring session monitoring, refer to the PowerBroker for
Windows product documentation.
BeyondTrust
June 10, 2013
135
Retina CS UserGuide

Note: To use this feature you must have the Session Monitoring license
key activated. Contact your BeyondTrust representative for more
information.
Viewing Events on the Session Viewer

To view events:
1. On the Assets page, select the Smart Group where the assets reside.
2. Select PowerBroker for Windows from the list, and then click Session
Monitoring.
3. Click i for a particular asset.
On the Session Viewer page, you can view more details about the
events.
4. Double-click an event (or click i) to view more details about the event
on the right pane.
Filtering Events
You can filter the events that are displayed in the Session Viewer.
BeyondTrust
June 10, 2013
136
Retina CS UserGuide
Viewing Screen Capture Events
When viewing screen captures, you can zoom in and zoom out, and scroll
through all of the screen captures saved during the session.
If there is more than one monitor for an asset the Session Viewer displays
the following titles: Display1, Display2...
BeyondTrust
June 10, 2013
137
Retina CS UserGuide
Saving Session Data

You can save the session monitoring data to a zip file to view the
information offline at a later time.
It might take a few minutes to save the file depending on the number of
events captured.
To save session data to a file:
1. On the Assets page, select the Smart Group where the assets reside.
2. Select PowerBroker for Windows from the list, and then click Session
Monitoring.
3. Click the arrow for an asset, and the select Download Session Data.
4. Save the file to the preferred location.
BeyondTrust
June 10, 2013
138
Retina CS UserGuide

The Patch Management module requires a license to activate the feature
set. Contact your BeyondTrust representative.
In this section,
Overview
Third-party Patch Deployment
Requirements
Adding a Connection
Registering Smart Groups
Deleting Patches
BeyondTrust
June 10, 2013
139
Retina CS UserGuide
Overview
Use the Patch Management Module to deploy important patches to selected
assets.
Note: Using the Patch Management Module does not override any
automation policies you might have in place with your existing
Windows Server Update Services (WSUS) configuration. Those
policies are retained and applied as usual.
Retina CS integrates with WSUS to facilitate Microsoft and third-party
patching. Retina CS uses WSUS as the patching engine and effectively
becomes a management console to WSUS.
You must be familiar with WSUS features to understand the Retina CS
integration with WSUS. The WSUS client is built into the Microsoft OS,
however, it needs to be enabled and configured. In typical WSUS-only
environments this is accomplished through GPOs. When using Retina CS,
clients are enabled and configured through Retina CS.
The Retina CS configuration and patch deployment process is outlined here.
u
Configure a Retina CS connection to an existing WSUS Server;

Retina CS becomes a management console for WSUS.
Configure Smart Groups for patch management. This configures

members of the Smart Group, i.e., the clients, for WSUS by making
changes to the registry.
Identify and approve patches.
BeyondTrust
Clients periodically check WSUS for approved patches which are

then subsequently downloaded and installed.
June 10, 2013
140
Retina CS UserGuide

u
Patches are approved in Retina CS; consequently, they are marked

as approved in WSUS.
The client polls WSUS for any relevant, approved patches.
Patches are downloaded to the client. Optionally, per the Smart

Group settings, the client may be notified that approved patches are
available and then prompted to download and install them.
Patches are automatically installed per default settings. Optionally,

per the Smart Group settings, the client may be notified that
patches have been downloaded and then prompted to install them.
The new patch status is sent to WSUS.

Retina CS retrieves the current patch status from WSUS
BeyondTrust
June 10, 2013
141
Retina CS UserGuide
Third-party Patch Deployment
Third-party patching is the same as Windows patching with the following

differences at these steps.
Third party patches are sent to the client with the third-party
certificate that was generated when the connection to WSUS was
created.
The certificate from WSUS is verified against the existing certificate
on the client that it received when its associate Smart Group was
enabled for patch management. Trust is now established for third

party patch deployment per Microsoft requirements.
BeyondTrust
June 10, 2013
142
Retina CS UserGuide

To deploy patch updates, you must connect to a Windows Server Update
Services (WSUS) server.
If you are working in a larger environment and use downstream servers to
apply patch updates, you can create connections to the downstream servers
in the Patch Management configuration. This helps distribute the workload
of applying patches to many assets.
Requirements
Installing on Windows Server 2003 SP1
Microsoft IIS 6.0

Ensure the user installing and configuring WSUS is a member in the
group IIS_WPG
Update for BITS 2.0 and WinHTTP 5.1

(http://go.microsoft.com/fwlink/?LinkID=47251)
Microsoft .NET Framework Version 2.0 Redistributable Package (x86)

32-bit (http://go.microsoft.com/fwlink/?LinkID=68935)
Microsoft Report Viewer Redistributable 2005

Microsoft Management Console 3.0 for Windows Server 2003

(KB907265)
Installing Windows Server 2008
Microsoft IIS 7.0. Ensure the following components are turned on:
Windows Authentication
ASP.NET
6.0 Management Compatibility
IIS Metabase Compatibility
Microsoft Report Viewer Redistributable 2005

Microsoft SQL Server 2005 SP1
Note that .NET Framework 2.0 and BITS 2.0 update are part of the
Windows Server 2008 OS.
BeyondTrust
June 10, 2013
143
Retina CS UserGuide
Adding a Connection
You can create a connection to an upstream and downstream server.
The downstream server synchronizes with the upstream server to manage
patch updates. Note that downstream servers are configured in WSUS.
To connect to a WSUS server:
1. On the Retina CS console, select Configure, and then click the Patch
Management tab.
Alternatively, on the Dashboard, click Mitigate.
2. Click +, and then enter the server name, port number, and credentials
for the server.
Ports available: 80, 8530, 443 (SSL), or 8531 (SSL).
3. Click Test Connection to ensure the information is correct.
Note: The WSUS Administration Console must be installed if WSUS
and Retina CS are not on the same server. For more information,
see Installing the WSUS Administration Console.
1. Click Save.
2. After you connect to a WSUS server, set the following options.
Synchronization - Select the time that you want to synchronize the

patches with the WSUS server.
The schedule determines the frequency that WSUS checks with
Microsoft Update Servers for new patches.
If this is a new installation, the initial synchronization can take
several hours depending on the number of items selected in the
Products and Classification section.
If you are using downstream servers, increase the frequency of the
synchronizations per day. All updates and approvals occur on the
upstream server. Increasing the frequency ensures that all assets
receiving updates from the downstream server are updated when the
approvals are applied on the upstream server.
Products and Classifications - Select the updates to subscribe to.
Downstream Servers - Displays the downstream servers for the

selected server.
Third Party Certificate - Generate or import a certificate to

subscribe to vendor patch updates.
For more information, see Third-Party Patching.
Note that the Groups feature is not supported in Retina CS
Community.
BeyondTrust
June 10, 2013
144
Retina CS UserGuide
Groups - Select the check boxes for the groups that already exist in
WSUS. Additionally, select synchronization frequency, credentials,
and how you want patches applied.
After you click Save, a patch-enabled Smart Group for each WSUS
group that you selected is displayed in the Smart Groups browser
pane.

When you configure assets for patch updates in the Smart Rule, you can
choose the downstream server that will apply the updates and patches to the
assets.
In the Patch management Configure area, you can view information on
upstream servers and if there are any downstream servers configured on that
upstream.
A downstream server is displayed with a green arrow.

You must install the WSUS Administration Console if you want to connect
to an installation of WSUS on a different server.
Download the WSUS 3.0 Administration Console installer file:
http://go.microsoft.com/fwlink/?LinkId=88321
After you install the administration console, start the console and verify that
you can connect to the WSUS server that will be configured as the active
software update point.
BeyondTrust
June 10, 2013
145
Retina CS UserGuide
Registering Smart Rules

Registering the group adds the group to the WSUS server database. The
assets in the group are then available for the updates. If an asset is a member
in two groups, the patch update applied will be the most recent one.
You can review the status of a patch group on the Asset Details pane (select
the Assets tab, click i). If the status is registered, patches can be approved
and installed on the patch group.
Checkpoint
Create a Smart Rule to associate with the patch update schedule. A

Smart Rule is required. For more information, see Creating a Smart
Rule.
To register patch updates for a Smart Group:

2.
3.
4.
5.
Click Manage Smart Rules and then click New Rule.

Enter a name and description for the patch group.
Select an existing category or create a new category.
Select the asset matching criteria. Select Asset fields from the list then
select matching criteria: Last Updated Date, Status, Current Policy,
Pending Policy, Wsus Status, or Patch Install Schedule.
6. From the Perform Actions area, select Enable for Patch
Management, then select values for the following:
Credentials - Click the browse button to open the Manage Patch
Credentials page. Create or select the preferred patch credentials.
Ensure the credentials provided can access the registry and install the
certificate on the target asset.
The credentials apply only to the Patch module. The credentials are
not related to vulnerability scans or the WSUS server connection.
WSUS Servers - Select the WSUS servers from the list.
Important Updates - Select if you want to:

Download and install updates automatically Client computers poll
WSUS at the selected day and time and download and install
approved updates.
Download updates but let me choose if the updates are installed
Client computers poll WSUS at regular intervals (1 hour by default),
and download approved and relevant updates. After downloaded,
notifications are sent to the system log and notification area of Retina
CS.
Check for updates but do not download.
BeyondTrust
June 10, 2013
146
Retina CS UserGuide
Every / At - Select a day and time the client computers will poll the
WSUS server.
Retry registration of errored Patch Management assets - Select the

check box to try registration again if the initial registration attempt
fails.
7. Click Save.
After clicking Save, the following occurs:
The client is contacted by one of three methods, listed in priority:
If the client has the Retina Protection Agent (v. 4.7 or greater),
registry changes occur through the Central Policy connection.
If the client does not have the RPA, registry changes occur through
the Remote Registry API. Remote Registry service must be enabled
on the client. The supplied credentials must have permissions for
Remote Registry.
If the first two fail, then registry changes are facilitated through
WMI, a service running on the endpoint.
Retina CS uses the supplied credentials to access and edit the clients
registry. The client is configured for WSUS and then pointed to the
WSUS Server. All other relevant registry parameters are set, see:
HKEY_LOCAL_
MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_
MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Optionally, Retina CS downloads the third party certificate to the client.
The client is now configured to poll WSUS for any approved updates; this is
standard WSUS client behavior. Note that polling may not occur
immediately and it may take up to 6 hours for WSUS clients to display as
patch-enabled assets in Retina CS.
The patch group is displayed in the Smart Groups browser pane.
After the group is registered, you must approve the patches that you want to
apply to the assets.
Updates are installed during the time that you selected in step 6.
BeyondTrust
June 10, 2013
147
Retina CS UserGuide
You might need to redeploy the Smart Rule configuration settings in the
following scenarios:
Registry settings are not properly set on the client
Certificate for 3rd party patching not properly set
Select Redeploy Configuration to apply the settings in the Patch-enabled

Smart Rule.

After you register a Smart Group for patch updates, you can approve the
patches for installation.
Track the status of patch updates on the Patch pane. Select the Assets tab
then Patch.
On the Approvals page, you can filter the patch status to determine the
patches that are installed, not installed, failed, and more.
Note that on the Approvals page, the most recent patches available are
always displayed. Any older patches superseded by new patches are no
longer displayed. You can however, select the Show Superseded Patches
check box to review older patches not applied.
To display the Superseded column, click the Preferences button and then
select Superseded.
To approve patch updates for registered Smart Groups:
BeyondTrust
June 10, 2013
148
Retina CS UserGuide

1. Select the Assets tab, and then select Patch.
After a patch group is registered, you can access the last accessed group
through the Mitigate button on the Dashboard.
2. Select a registered Smart Group from the browser pane.
To view the number of patch updates installed and not installed, hover
on the icon.
3. Select an asset, and then click i.

By default, only critical updates are displayed. You might need to change
the filters to display the relevant patches. Click the Filters button and
select the filters.
To view superseded patches, select the Show Superseded Patches

check box.
Patches are superseded when a new patch is available.
Microsoft patches are superseded automatically when a synchronization
occurs with WSUS.
4. Select a patch, and then select Approve.
BeyondTrust
June 10, 2013
149
Retina CS UserGuide

5. Select the All Groups check box to apply the patch to all registered
patch Smart Groups; or select the check box for a particular Smart
Group.
The assets are set to check in with the WSUS server every hour.
If you select All Groups, and a group already has approved patches, the
menu changes to Keep existing approvals. This ensures that all previously
approved patches will still be deployed at the scheduled time.
Select Decline to remove the patch from the Not Installed list.
Select Not Approved will not apply the patch to the select Smart Group.
However, the patch is still displayed in the Not Installed list.
Click i to review more information about the update.
Click Apply Patch Now to install the update to the designated assets.
When selected, the clients are forced to check in with WSUS. The patch is
applied immediately regardless of the installation settings in the Smart Group
associated with the clients. The credentials in the Smart Group are used to
apply the patch.
Note that the client evaluates and downloads the patch before the
installation occurs.
BeyondTrust
June 10, 2013
150
Retina CS UserGuide
Deleting Patches
You can delete patches either on the Asset details page or on the approval
page where patches are listed.
You can download and deploy patches for third-party products such as
Adobe, WinZip, and Apple. For a complete list, see List of Supported
Vendors.
You can subscribe to vendor patches through the Retina CS Configure tab.
BeyondTrust
June 10, 2013
151
Retina CS UserGuide
After setting up a connection to WSUS, a Third Party section is available.
A message indicates that a certificate is required when you initially log on
and go to the Third Party section. The certificate establishes trust between
the WSUS server and the client.
If the WSUS connection is configured to use SSL, you can use the Import
button on the Third Party Certificate tab to import an external certificate or
use the Generate button to create a self-signed certificate.
Note that if the upstream server has a third-party certificate, then the
downstream server automatically receives the certificate. The certificate
feature is not available for only downstream servers.
Click Generate.
Self-signed Certificates
If you are using a self-signed certificate for 3rd Party Patching, sometimes
Windows will automatically delete it.
If Windows finds a discrepancy with an intermediate certificate on the server
it will check it against their list of approved SSLs. If it does not match
Windows will remove it and log the following in the application log:
Event ID: 4108
Successful auto delete of third-party root certificate
To disable this feature and keep your root certificate installed:

1. Click Start > Run > gpedit.msc > OK.
2. Double-click Administrative Templates > System > Internet
Communication Management.
3. Select Internet Communication settings.
4. Double-click Turn off Automatic Root Certificates Update.
5. Select Enabled, and then click OK.
To subscribe to vendor patch updates:
BeyondTrust
June 10, 2013
152
Retina CS UserGuide

1. Select the Configure tab, and then select Patch Management.
2. In the Products and Classifications section, select the vendor patches
that you want to subscribe to.
Note that the patch classifications apply to Microsoft updates only.
3. Select the check boxes for the vendor products, and then click Save.
BeyondTrust
June 10, 2013
153
Retina CS UserGuide

Adobe Flash Player
Adobe Systems Incorporated
Adobe Acrobat
Adobe Reader
Adobe Shockwave - Firefox/IE
BeyondTrust
Apple Incorporated
Safari
Foxit Corporation
Foxit Reader
Google Incorporated
Chrome
Igor Pavlov (LGPL)
7-Zip
Mozilla Foundation
Mozilla Firefox
Opera Software ASA
Opera Browser
Oracle Corporation
Sun Java
Skype Limited
Skype
win.rar GmbH
WinRAR
WinZip International LLC
WinZip
June 10, 2013
154
Retina CS UserGuide

In Retina CS, you can create a connection to your Microsoft System Center
Configuration Manager (SCCM) site server and manage the software updates
to the collections.
Overview
The SCCM feature in Retina CS offers you a way to create a connection to
your SCCM server and manage deploying software packages to selected
collections.
An important difference between traditional Smart Groups in Retina CS and
the SCCM Smart Groups is that asset data is gathered from the collections in
SCCM and is stored in the Retina CS database. The assets have not been
scanned by Retina CS. You can use the synchronize feature on the SCCM
configure page to ensure the most current data resides in the Retina CS
database.
The package deployment feature in Retina CS is similar to SCCM and offers
most of the options that you are already familiar with.
Requirements
The client must have SCCM installed or patches cannot be deployed and
applied.
The SCCM Smart Groups are not patch-enabled like the WSUS Smart
Groups.
The SCCM instance must have an Active Software Update Point

component configured prior to making a connection from Retina CS.
Creating a Connection to a SCCM Site Server

To connect to a SCCM Site Server:
1. On the Retina CS console, select Configure, and then click the SCCM
tab.
2. Click +, and then enter the server name, domain, user name and
credentials for the server.
3. Click Test Connection to ensure the information is correct.
4. Click Save.
BeyondTrust
June 10, 2013
155
Retina CS UserGuide

5. After you create the connection to a SCCM Site Server, additional tabs
are available.
You must select the collections to include in the Smart Group.
6. Click the Collections tab.
7. Select the collections, and then click Save.
A collection includes the assets that you want to apply patches to.
Collections are displayed here if at least one asset is detected in the
collection.
Note: You cannot change the autogenerated Smart Group.
Status information is provided for the following:
Site Status - Displays a site status only. Includes such information as:
current status, site code, server availability (online or offline), event
information, version.
Site Details - Displays information about the MS System Center

Configuration Manager.
A unique identifier (the site code) is added to every SCCM Smart Group.
This helps to identify the SCCM Site Server where the collection is from.
Deploying a Package to a Collection

Patches are immediately applied to the assets in the collection.
To deploy a package:
1. Select the collection in the Smart Groups browser pane.
2. Click the SCCM tab.

Review the client list to ensure that all targets have the SCCM client
installed.
3. Click Updates.
4. Review and select updates, and then click Deploy.
BeyondTrust
June 10, 2013
156
Retina CS UserGuide

The page identifies the software available to deploy and the status of the
software on the assets in the collection: Installed, Required, N/A, and
Unknown.
5. On the Deployment Package Details page, enter the following

information:
Package name, description and deployment package location.
Note: The package source location must be entered as a UNC path
(\\servername\share\package name) and must be unique for
every package that you deploy. The share must already be created
on the server. This is SCCM behaviour.
6. Select the optional additional settings:
Enforce an installation deadline for this deployment
Enable Wake On Lan when the deadline for this deployment has
been reached
Enable user notifications
Enable reboot of client machines outside of maintenance window
Suppress system restart on Workstations
Suppress system restart on Servers
7. Click Deploy.
You can keep track of the successfully deployed packages on the Job
page.
SCCM and 3rd Party Patching

If you are using SCCM, you can publish 3rd party patches to an Active
Software Update Point (SUP) by configuring the Update Point (WSUS
server) on the Configure > Patch Management tab in Retina CS.
BeyondTrust
June 10, 2013
157
Retina CS UserGuide

Any SUP that has an active WSUS connection in RCS should not be used to
create Patch-enabled Smart Rules. For more information, see Connecting to
a WSUS Server.
Using Group Policy to Configure SCCM Assets for 3rd Party Patches
Configuring SCCM assets to accept 3rd Party Patches involves two steps:
Exporting the WSUS Certificate
Configuring the Group Policy Object
Exporting the WSUS Certificate

Go through the steps in this section on the WSUS server that is the Active
Software Update Point for SCCM.
For detailed information on exporting a certificate, refer to the Help file
available with the Certificates snap-in.
To export a WSUS certificate:
1. Run .mmc, and then add the Certificates snap-in.
Be sure to select Computer account, and Local computer.
2. Expand the WSUS node.
3. Right-click WSUS Publishers Self-signed and select All Tasks >
Export.
4. In the Certificate Export Wizard, select the following:

No, do not export the private key
BeyondTrust
DER encode binary X.509 (.CER)
Enter a file name for the certificate and go through the remaining
pages of the wizard.
June 10, 2013
158
Retina CS UserGuide

Configuring the GPO
Use the following procedures to configure the Group Policy Object (GPO)
to deploy configuration to SCCM enabled assets. The GPO saves the WSUS
certificate to the appropriate certificate stores and configures the assets to
accept third-party patches from non-Microsoft sources.
After the GPO is created, it must be linked to an OU that contains the
SCCM assets that you want to receive 3rd party patches.
To configure assets using Group Policy on Windows Server domains:
1. Open Group Policy Management Console (GPMC) on a domain
controller.
2. Create a GPO for the certificate at the domain level:
a. Select the domain you want to use, and then click Action > Create
a GPO in this domain, and Link it here.
b. Enter a name for the GPO, and then click OK. For example, enter
Patch Management Client Configuration Policy.
3. Select the new object, and then click Action > Edit .
4. Expand Computer Configuration > Policies > Windows Settings >
Security Settings > Public Key Policies.
5. Import the WSUS publishing certificate to the Trusted Root
Certification Authorities and Trusted Publishers stores.
BeyondTrust
June 10, 2013
159
Retina CS UserGuide

6. Turn on signed updates in the Windows Update administrative template:
a. Expand Computer Configuration >Policies> Administrative
Templates > Windows Components, and then select Windows
Update.
b. Double-click Allow signed updates from an intranet Microsoft
update service location .
c. Select Enabled, and then click OK.
7. Select an OU or domain and create a link to this new GPO.
BeyondTrust
June 10, 2013
160
Retina CS UserGuide

In this section,
Overview
Reviewing Details About Protection Agents
Rules Reference
BeyondTrust
June 10, 2013
161
Retina CS UserGuide
Overview
This section provides information on how the Retina Protection agent
deployment works.
How RP Agent Deployments Work
The Application Bus service receives a message from Retina CS to
start a deployment. A deployment package is created and includes
these files:
l
l
l
l
l
l
BlinkSetup.exe
#deploy.xml
deployc.pfx
msxml3.dll
msxml3r.dll
startdeplservice.exe
To ensure secure deployment, the deployc.pfx file includes a

security certificate, eEyeEmsClientCert.pfx.
The package is queued and ready to be copied to a share on the

target asset.
This starts the deployment service (startdeplservice.exe).
This service sends a message to Retina CS indicating the job status.

When the deployment is complete, the startdeplservice.exe is
removed from the asset.
The service runs BlinkSetup.exe and installs:
l
l
The VS2008 runtime environment if required.

RPA
Reports to Retina CS that installation was successful.
BeyondTrust
June 10, 2013
162
Retina CS UserGuide

The Retina Protection Agent must be downloaded before you can deploy
policies to selected assets.
You can deploy Retina Protection Agents using one of the following ways:
Download through the Retina CS console
Copy the Retina protection agent installer to the following directory:

$Common Files\eEye Digital Security\Shared Services
Host\data\Setups\Blink\4.0.0. Change the name of the installer file to:
BlinkSetup.exe
Use the 3rd Party Deployment tool. See Using the 3rd Party
Deployment Wizard.
To deploy the protection agent:

2. Click Protect.
3. If the protection agent deployment package is not found, click
Download Protection Agent.
Progress messages are displayed during the download. A file size
indicator updates every 10 seconds to show the status of the download.
After the Retina protection agent is downloaded, you must configure the
Default policy.
Air Gapped Connectivity to Retina CS
If the server where Retina CS resides does not have an Internet connection,
you can download Blink Professional and Blink Server from the client portal.
Change the name of Blink Professional to BlinkSetup.exe and copy to

the following directory: C:\Program Files (x86)\Common Files\eEye
Digital Security\Shared Services Host\data\Setups\Blink\4.0.0\
Change the name of Blink Server to BlinkSetup.exe and copy to the

following directory: C:\Program Files (x86)\Common Files\eEye
Digital Security\Shared Services Host\data\Setups\Blink Server\4.0.0\

You must configure the Default policy to use the Retina CS server as the
central policy agent.
To configure the Default policy:
2. Click Protection Policies.
3. Select Default policy, and then select Edit Policy.
BeyondTrust
June 10, 2013
163
Retina CS UserGuide
4. Click the pencil icon next to Master Rules.

5. Expand Misc Options then select General.
6. Expand Central Policy.

7. Select the Yes check box to use central policy.
8. Use the default protocol, https.
9. Enter the Retina CS server name and password.
10. Click Update.
Assets must have appropriate permissions in place so that the protection
policies can be copied to the asset.
BeyondTrust
June 10, 2013
164
Retina CS UserGuide

Use the 3rd Party Deployment wizard to create Retina Protection Agent
deployment packages. You can create a directory, executable, or .msi.
To create a deployment package:
1. Select Start > All Programs > eEye Digital Security > Tools > 3rd
Party Deployment Wizard.
2. Select the directory where you want to create the package files and
where the package will be deployed.
3. Select the check boxes for the type of deployment package: Create
Directory, Create Executable, Create MSI.
4. Select Retina Protection Agent Setup information:
Setup filename - Displays the name for the .exe. The default value is
BlinkSetup.exe.
Serial number - Enter the serial number for the Retina Protection
Agent.
Mode - Select a mode: Interactive, Alert Only, Silent, Hidden.
Administrator password/confirm password - Enter a password.
Enable Firewall - Select to turn on firewall protection.
Enable Virus and Spyware Protection - Select to turn on virus and

spyware protection.
Enable Intrusion Prevention - Select to turn on intrusion prevention.
Enable System Protection - Select to turn on system protection.
3rd party AV uninstall password - Enter the password to uninstall

existing anti-virus and intrusion prevention applications if detected
during deployment.
5. Click Next.
6. To activate central policy, select the Use Central Policy check box.
a.
b.
c.
d.
e.
Select the protocol: https, rem.

Select the server name where Retina CS resides.
Select the default policy.
Enter the password for central policy.
Enter the time interval to check for updates.
7. Click Next.
8. Select the Send REM events check box to activate REM events.
9. Click Next.
10. Enter your registration information and click Next.
11. Enter the URL to download updates. Click Next.
BeyondTrust
June 10, 2013
165
Retina CS UserGuide

12. Click Finish.

When your Retina Protection Agents (RPA) serial numbers are close to
expiry, you can deploy a serial number to all assets where RPAs are
deployed.
To update the serial number:
2. Select Agents, and then click Relicense.
3. Select the assets from the Smart Groups browser pane.
4. In the Deploy section, select: currently selected assets, single IP
address, IP range, CIDR notation or named host.
5. Select the check box to skip the assets that do not have an RPA
deployed.
6. Enter credentials.
7. Enter the serial number.
8. Click Run.

Use the following procedure to deploy protection policies to selected assets
and agents.
Checkpoint
Policies are only available after you deploy Retina protection

agents. For more information, see Downloading Retina
Protection Agents.
Before proceeding, you might want to customize your policies.

For more information, see Configuring Protection Policies.
Note: Turn off the Require SSL setting in IIS Manager for the Retina CS
default web site.
Otherwise, the status displayed does not indicate when the
deployment has successfully completed.
BeyondTrust
June 10, 2013
166
Retina CS UserGuide

To deploy protection policies:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Select a policy and click Deploy.
3. Expand Status to determine the assets that already have Retina
protection agents deployed. Select Don't perform deployment on
these (n) assets, with n being the number of assets that do not have
the protection agent installed.
4. Expand Deploy to select the assets you want to apply the protection
policies to: Smart Groups, Single IP, IP Range, CIDR Notation, or
Named Host.
5. Expand Credentials Management to enter the domain, username, and
password credentials for the assets to deploy on. Credentials are
required.
For IP Range and CIDR Notation, the policies are deployed to the assets
that match the credentials entered.
6. Expand Software Removal Tool, and select the Enabled check box.
Enter a password, if required. This step is optional.
Third-party anti-virus and intrusion prevention applications are
uninstalled if detected during deployment.
7. Expand Advanced and enter the serial number and installation directory
for the Retina protection agent.
8. Select the Enable Event Forwarding check box to view malware and
vulnerability events on the Retina CS console.
9. Select the Force installation of Protection Agent check box to deploy
the protection agent to the selected targets.
10. Click Request Protection Agent Update to automatically download
updates for the protection agent.
11. Click Start Deploy.
Click Show Status to view the progress of the deployment; or click the
Jobs tab.

You can set a serial number as the default so that you do not need to enter
the serial number every time you deploy an agent.
The serial number is displayed differently depending on the permissions that
you are assigned. If you are assigned the Protection Policy Management
permission, all digits for a saved serial number are displayed and the Save as
Default button is available.
BeyondTrust
June 10, 2013
167
Retina CS UserGuide
If you are only assigned the Deployment permission the last section of the
serial number is displayed and the Save as Default button is not displayed.
You can clear the Use Default Serial check box at any time and then enter
another serial number.
For more information about permissions, see User Group Permissions.
Reviewing Details about Protection Agents
You can review the following information for a protection agent on the
Agents tab:
Policy name
Protection agent version
Computer name where the agent is deployed
Operating system
To review protection agent details:

1. Select the Agents tab.
2. To review only protection agent information, click the Preferences
button and clear any Retina scanner check boxes (for example, Retina
Version and Agent Name). This is optional.
3. Click the Filters button to set sorting information on the protection
agents. This is optional. This is helpful if there are a lot of protection
agents deployed in your environment.
Note that you cannot sort by Protection Agent Policy name.
BeyondTrust
June 10, 2013
168
Retina CS UserGuide

You can remove a deployed protection agent from an asset.
To remove a protection agent:
1. Click the Assets tab.
2.
3.
4.
5.
BeyondTrust
Click the Agents tab.

Click Uninstall.
Enter the IP addresses for the assets.
Enter the credentials, and then click Run.
June 10, 2013
169
Retina CS UserGuide

In this section,
Rules Reference
When setting up a protection solution using Retina CS, you need to
determine the rules that you want to use to protect your assets. Retina CS
ships with a set of default rules and rule groups.
After you determine the rule set and configure rules, you can attach the rule
groups to a policy. The policy is then deployed to your assets.
When creating rules and rule groups, review the following sections to
understand how they work.
Rule Group Ordering
When there is more than one rule group attached to a policy, the rules for all
attached groups are automatically merged into an effective set of rules for
the policy.
In the case where a specific rule is set in more than one attached group, the
group that is located higher in the list of attached groups takes priority. You
can click and drag on attached Rule Groups to modify their ordering and
thus their resulting relative priority.
Retina CS ships with a set of default rules. Each new policy automatically
inherits these default settings. Some rules are on while others are off.
Changing a default value is considered an override even if that setting is later
changed to its default state. This is important to understand since a rule
setting override is considered when multiple Rule Groups are merged in a
given Policy, but rules considered to be in their factory default state are
not.
To remove all rule setting overrides, from a rule category in a Rule Group,
select that category and click the arrow next to the category title. In the
context menu that appears, select Revert to factory.
BeyondTrust
June 10, 2013
170
Retina CS UserGuide

For example, consider three cases where two Rule Groups are attached to a
policy, Group A (highest priority) and Group B. The factory default setting
for a particular rule is off.
o
Case 1: In Group B, that rule is set to on. The rule in Group A has never
been changed and is considered the default. The effective merged rule
setting will be on.
Case 2: The rule in Group B is set to on, but in Group A that rule has
been set to on previously, but later set to off. Since this off
setting is now considered an override over the default setting, the
effective merged rule setting will now be off.
Case 3: The rule category where this rule resides is reverted to factory
default for Group A and now the effective merged setting is once again
on, this case now being identical to the first.
Master Rules
Every policy has a set of Master Rules which can be considered a non-shared
Rule Group (it is specific to one policy only) that always has the highest
priority when rules are merged. Any rule set in the Master Rules section will
override the same rule setting in any attached groups.
A Rule Group is a container for the rules that you want to apply to protect
your assets. In Retina CS, a rule group can contain any combination of rule
categories that includes: system firewall, application firewall, IPS signatures,
and Trusted and Banned IPs. In each rule category, there are particular rules
that you can activate if you want to provide that specific protection to your
asset.
Rule groups provide proactive and reactive protection against intruder,
internal attack and machine misuse. When assigned to a policy, rule groups
are applied to assets, such as networks, servers, workstations and laptops.
To create a rule group:
1. Select the Dashboard tab and click Protect; or select the Assets tab,
and then click Protect.
2. Click Manage Rule Groups.
3. On the Manage Rule Groups page, you can:
Click + to add a rule group. Enter a name for the rule group.
BeyondTrust
Select the rule group from the Rule Groups pane to change the rule
group properties. You can type the name of the rule group in the box
to search for the rule group.
Select the rule group and click - to delete the rule group.
June 10, 2013
171
Retina CS UserGuide

4. Select a rule group, then select a rule category to display the associated
rules.
Rule categories with arrows contain subcategories. Click the arrow to
display the subcategories; select the subcategory to display the rules.
5. Select a rule name check box to activate the rule. To create a rule, go to
Rules.
6. Click Revert to revert to either last saved or the default value for the
rule category.
7. Click Update.

Create a policy that defines the rules you want to apply to your assets.
You can create a dynamic protection policy. A dynamic policy includes
conditions that determine the assets where the protection policy will be
applied. For more information, see Creating a Dynamic Protection Policy.
Checkpoint
At least one policy category must be created to create a policy. See

Organizing Policies.
To create a protection policy:

2. Click Protect.
You can also create a policy from the Configure tab.
3. Click New Policy.
Drag rule groups to the rules pane. For more information, see Rule
Groups.
4. Click Create.
5. Enter the name of the policy and the policy group to which it is a
member. Click Update when editing an existing policy.
Creating a Dynamic Policy
You can attach a location to a policy. When a policy is processed, rule groups
and locations in the policy are also processed.
Locations and conditions define when a policy will be deployed to particular
assets.
l
l
BeyondTrust
Location One or more conditions.

Condition A set of criteria that determines the assets.
June 10, 2013
172
Retina CS UserGuide

Assets in an environment can change or be removed. The policy is dynamic
since only those assets that meet the criteria in the condition are included.
To manage locations, you must access an existing policy or through a new
policy.
The following procedure shows you how to create a condition and add the
condition to a location.
To create a dynamic policy:
1. Select the Dashboard tab, and then click Protect; or select the Assets
tab and click Protect.
2. Click New Policy.
You can also add locations to existing policies.
3. Click Add Location.
4. From the Location menu, select Manage Locations.
5. Click the + sign. Enter a name and click Create.
To edit an existing location, select the location from the Location pane.
To delete a location, select the location from the Location pane and click
the - sign.
6. Click Manage.
On the Manage Conditions window, you can create and delete
conditions.
a. Click + to create a condition. Enter a name and click Create.
b. Select Command or Script from the Command Type list.
Command options:
Check
In the Command Parameters box,
Reachable type the IP address or domain
name.
Pings the IP address or domain
name to verify access in the
network. For example, if the IP
address or domain is reachable,
then the policy can be applied.
BeyondTrust
June 10, 2013
173
Retina CS UserGuide

Compare
Version
Verifies which version of protection

agent is installed on the assets. This
feature will be available at a later
date.
Verify DNS In the Command Parameters box,

type the IP address.
Confirms the Domain Name System
server.
Verify
DHCP
In the Command Parameters box,

type the IP address.
Confirms the Dynamic Host
Configuration Protocol server.
Script options:
Script Name Java or Visual Basic script file.
Click Upload Script to upload a
script.
Script
Script file location.
Parameters
c. Select the Network Status Change Events check box if you want to
log network status changes.
d. Click Update.
7. Drag the condition from the Conditions pane.
8. More than one condition can apply to a location. The following operators
are available:
And = &
Or = |
Not = !
Parentheses group conditions
BeyondTrust
June 10, 2013
174
Retina CS UserGuide
9. Click Update.
BeyondTrust
June 10, 2013
175
Retina CS UserGuide

A policy category is a set of similar policies. A policy must be assigned to a
category when the policy is created.
To organize policies:
and click Protect.
You can also create a category from the Configure tab.
2. Click New Policy Category.
3. Enter the policy category name and click Create.
4. Drag policies from other policy categories to populate the new policy
category.
BeyondTrust
June 10, 2013
176
Retina CS UserGuide
Rules Reference
As mentioned earlier, a protection policy contains the security rules that are
deployed to your assets.
This section details the rules available to you.
You can create, copy, edit, and delete rules. You cannot create rules for the
following rule categories: Identity Theft and Analyzers.
To copy, edit, or delete a rule:
and click Protect.
You can also manage rule groups from the Configure tab (Protection
Policies).
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
4. Select the rule category.
5. Select a rule name check box to activate the rule.
6. Select the rule, click the arrow and select one of the following menu
items:
Edit Ruleto edit the selected rule. Click the pencil icon to change
the settings.
Duplicate Ruleto create a copy of the rule. Edit the new rule as
needed.
Delete Ruleto delete the selected rule.
Note that menu items are not available on all rules.
System Wide Firewall Rules

System Wide Firewall rules control the flow of data by examining each
packet and determining whether to forward the packet toward a specific
destination.
To create system-wide firewall rules:
and click Protect.
BeyondTrust
June 10, 2013
177
Retina CS UserGuide

4. Select the System Firewall rule.
5. Click Create New Rule to start the wizard.
6. Complete the following pages.
a. Action
Allow traffic that matches the rule can pass through the
firewall.
Deny traffic that matches the rule cannot pass through the
firewall.
Ask a message is displayed requesting permission to pass

through the firewall.
Log event select to create an event log when the rule is

matched.
Alert user receive and log alerts from Blink when the rule is
matched. This can create a flood of alerts and increase the size of
the log file.
b. Protocol
Select a protocol TCP, UDP, TCP or UDP, ICMP, IP
c. Traffic Direction
Traffic from Other Computers - filters only inbound traffic

received by your computer.
Traffic from This Computer - filters only outbound traffic

sent from your computer.
Any Direction - filters both inbound and outbound traffic.
d. Local IPs & Ports
BeyondTrust
Rule applies to all IP addresses Create a rule for all local IP

addresses.
Specific local IP addresses Click +, and then select:

Determine IP(s) at run-time, Single IP, IP Range, or Subnet.
Click Set.
Rule applies to all ports Create a rule for all ports.
Specific ports Click +, and then enter a port number, port list,
or port range.
June 10, 2013
178
Retina CS UserGuide

Use a comma to separate values. Ports in a range are separated
with a hypen.
e. Remote IPs & Ports
Options on this page are the same as Local IPs & Ports page.
f. Rule Summary
Click Finish.
Enter a name and description for the rule.

Place at the top of the rule list select to run the rule first.
Rule Summary
Application Firewall Rules
Application Firewall rules tailor the protection closer to the applications and
the specific network environment being protected.
To create an Application Firewall rule:
and click Protect.
name of the rule group in the text box to search for the rule group.
4. Select the Application Firewall rules category.
5. Click Create New Rule to start the rule wizard.
a. Application
Full Path Retina CS compares the path stored in the firewall

rule to the path of the application requesting network access.
The rule triggers when there is a match. Select this option for
applications that are typically updated during normal use.
Process Name - Retina CS compares the application process

name to the process that is requesting network access.
The rule triggers when there is a match. This is the least secure
option.
BeyondTrust
June 10, 2013
179
Retina CS UserGuide
MD5 - Retina CS creates and stores an MD5 checksum of the

specified application. The MD5 algorithm is a method for signing
and verifying a file and its contents mathematically. At run-time,
Retina CS compares this MD5 checksum to the checksum of the
application that is requesting network access.
The rule triggers when there is a match. This is the default value
and the most secure option; however, if the application changes
during an auto-update, the rule becomes invalid. If selected,
enter the MD5 value.
System Process filters the system process requests from the

Operating System or Kernel Drivers running under a system
context. Typical system processes include printing and file
sharing.
b. Action
Allow traffic that matches the rule can pass through the
firewall.
Deny traffic that matches the rule cannot pass through the
firewall.
Ask a message is displayed requesting permission to pass

through the firewall.
Log event check box select to create an event log when the
rule is matched.
Alert user check box - receive and log alerts from Blink when
the rule is matched. This can create a lot of alerts and increase
the size of the log file.
c. Protocol
Select a protocol TCP, UDP, or TCP or UDP
d. Traffic Direction
Traffic from Other Computers - filters only inbound traffic

received by your computer.
Traffic from This Computer - filters only outbound traffic

sent from your computer.
Any Direction - filters both inbound and outbound traffic.
e. Local IPs & Ports
BeyondTrust

addresses.
June 10, 2013
180
Retina CS UserGuide
Specific ports Click +, and then enter a port number, port list,
or port range.
Use a comma to separate values. Ports in a range are separated
with a hypen.
f. Remote IPs and Ports

g. Rule Summary
Click Finish.
IPSSignature Rules
You can create IPS network signatures that filter a specific protocol, such as
FTP, ICMP, and SMTP. For example, you can create an application layer IPS
signature that filters traffic from the subject line of all incoming or outgoing
email messages associated with the EMAIL protocol.
When you create an IPS signature rule, you can choose the Network Layer
or Application Layer protocol. The wizard pages change depending on the
protocol that you select.
For the following procedure, the wizard pages described assume CGIScripts
and Network Layer options are selected.
To create an IPSsignature rule:
and click Protect.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the box to search for the rule group.
4. Expand IPSSignatures and select a subcategory to display the
associated rules.
Protocol
Select a protocol.
IP Protocol
Fragment Flags Select the check box then select: More Fragment,
Don't Fragment Bit, Reserved Bit.
BeyondTrust
Don't Care The value is ignored.
June 10, 2013
181
Retina CS UserGuide
Set The binary value of the corresponding flag for 1s only is

verified.
Not Set The binary value of the corresponding flag for 0s only
is verified.
IP ID Select Less Than, Equal To, or Greater Than and set the ID
number.
IP Protocol Select Less Than, Equal To, or Greater Than and set
the protocol.
Time to Live Select Less Than, Equal To, or Greater Than and set
the time.
IP Options Select Record Route, End of Option List, No

Operation, Internet Timestamp, Security, Loose Source Routing, or
Strict Source Routing.
Type of Service Select the service: Minimize Delay, Maximize

Throughput, Maximum Reliability, or Minimize Monetary Cost.
Traffic Direction
Inbound Filters only inbound traffic received by your computer.
Outbound Filters only outbound traffic sent from your computer.
Both Filters both inbound and outbound traffic.
Local IPs & Ports

addresses.
Specific local IP addresses Click +, and then select: Determine

IP(s) at run-time, Single IP, IP Range, or Subnet. Click Set.
Specific ports Click +, and then enter a port number, port list, or
port range.
Use a comma to separate values. Ports in a range are separated with a
hyphen.
Remote IPs & Ports

Search Pattern
Click +, and then type the pattern to search on.

You can create patterns using hex characters or a combination of
ASCII and hex characters. A hex sequence must be enclosed in < >.
BeyondTrust
June 10, 2013
182
Retina CS UserGuide
Start (Optional) Enter the number of bytes to skip from the

beginning of the packets payload.
Depth Enter the total number of bytes to search in the packets

payload.
Trigger rule if pattern not found (Optional) Stop the action

from completing when the pattern is matched.
Use regular expressions (Optional) Find a specific word

followed by an alphanumeric.
Match case on pattern (Optional) Find a pattern that matches

the case in the Pattern field.
Match only on patterns of same size (Optional) Find a pattern

that matches the size in the Pattern field.
Action
Stop attack Stop the attack by terminating the session or dropping

packets.
Capture Packets Hold the packet for review by the user.
Block IP for Stop the attack for the specified number of minutes.
Available only for TCP-based IPS signatures.
This is not recommended for spoofable protocols, such as IP, UDP
and ICMP. In a spoofable attack, an attacker mimics the IP address
of critical systems and then forces the IP address to be added to the
banned list. Specify the frequency of the action.
Log event Create an event log when the rule is matched.
Alert user Receive and log alerts from RPA when the rule is
matched. This can create a flood of alerts and increase the size of the
log file.
Specify Threshold
Take action for every occurrence of the event When the

pattern is found, the action defined on the Action page occurs.
Take action when the threshold is exceeded When the

threshold is exceeded, the action defined on the Actions page
occurs.
The default is one event every one second.
Specify References
BeyondTrust
(Optional) Enter more information about the vulnerabilities and

exploits.
June 10, 2013
183
Retina CS UserGuide

The information helps to define what the IPS signature protects
against.
Set More Details
Enter more information about the rule.
Rule severity Select a severity between 0 and 9 (highest severity).

The severity level is included in the event log.
Rule Summary
Click Finish.
Trusted and Banned IPs

You can set trusted and banned IP addresses to manage lists of hosts
processed by the Firewall and IPS protection engines. You must activate
Intrusion Prevention or System Firewall to use the Trusted and Banned IPs
feature.
l
Trusted IPs Add the IP address or range of IP addresses of trusted

critical machines. All data is then allowed from the trusted systems.
Note that if a trusted system attacks your Retina CS-protected server or
workstation, the attack will not be detected.
Banned IPs Provides time-based traffic blocking from an IP address.

You can ban an IP for a period of time or indefinitely. Data flowing from
known problematic hosts can be discarded without further processing.
If an IPaddress is added to the Trusted list and Banned list, that IPaddress
is banned.
All IPS Analyzer rules and signatures can be configured to ban the attacker
IP for a certain amount of time. For example, you may want to slow down
someone trying to guess your FTP password account by stopping them from
accessing the server for 10 minutes after each 10 failed attempts occurring in
less than three minutes.
To create a Trusted IP or Banned IP rule:
and click Protect.
BeyondTrust
June 10, 2013
184
Retina CS UserGuide

4.
5.
6.
7.
Select the Trust IPs or Banned IPs rule category.

Click Create New Rule to start the wizard.
Enter the IP address, IP address range, or subnet.
Specify the time the IP remains on the list as either Permanent or Keep
for [n] Minutes. You can also include a date and time. The IP address is
automatically deleted from the IP list after the time period elapses.
8. Enter a description for the IP address.
9. Click Set. The IP address displays in either Trusted IPs or Banned IPs
list.
10. Click Update.
Registry Protection Rules

Registry rules protect registry resources against unauthorized modifications.
To create a Registry rule:
and click Protect.
of the rule group in the text box to search for the rule group.
4. Select the Registry rule category.
a. Select Resource Type

Registry is selected.
b. Resource Path
Registry Key Path Enter the registry path.
Match Type Select a matching type. See Caller Path page

details for descriptions.
c. Caller Path
Caller Path Enter the path.
Match Type Select a matching type.

Exact Matches only the exact path. This is the fastest matching.
Partial Matches if the pattern is found anywhere in the path.
This is the second fastest matching.
BeyondTrust
June 10, 2013
185
Retina CS UserGuide

Wildcard Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
Regex Creates the most complex matching rules. This can be
the slowest and should be used with care.
MD5 Validation
Do not use caller MD5.
Auto-calculate caller MD5 Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 Enter a hex MD5 caller.
The MD5 algorithm is a method for signing and verifying a file
and its contents mathematically. At run-time, Retina CS
compares this MD5 checksum to the checksum of the
application that is requesting network access. There is an implicit
OR between the two types of matching, such as location and
MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
Select a Read or Write action to be matched by this rule.
Allow Traffic that matches the rule can pass through the
firewall. This is the default.
Deny Traffic that matches the rule cannot pass through the
firewall.
Log Select to create an event log when the rule is matched.
Alert Receive and log alerts from Blink when the rule is
matched. This can create a lot of alerts and increase the size of
the log file.
e. Rule Summary
Click Finish.
Execution Protection Rules

Execution rules prevent the system from executing unauthorized processes.
To create an Execution rule:
BeyondTrust
June 10, 2013
186
Retina CS UserGuide

and click Protect.
name of the rule group in the text box to search for, display, and select
that Rule Group.
4. Select the Execution rule category.
a. Select Resource Type

Execution is selected.
b. Resource Path
Registry Key Path Enter the registry path.
Match Type Select a matching type. See Caller Path page

details for descriptions.
c. Caller Path
Caller Path Enter the path.
Match Type Select a matching type.

Exact Matches only the exact path. This is the fastest matching.
Partial Matches if the pattern is found anywhere in the path.
the slowest and should be used with care.
MD5 Validation
Do not use caller MD5
Auto-calculate caller MD5 Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 Enter a hex MD5 caller.
BeyondTrust
June 10, 2013
187
Retina CS UserGuide

The MD5 algorithm is a method for signing and verifying a file
and its contents mathematically. At run-time, Retina CS
compares this MD5 checksum to the checksum of the
application that is requesting network access. There is an implicit
OR between the two types of matching, such as location and
MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
The Execute check box is selected and cannot be changed.
Allow Traffic that matches the rule can pass through the
firewall. This is the default.
Deny Traffic that matches the rule cannot pass through the
firewall.
Log Select to create an event log when the rule is matched.
e. Rule Summary
Click Finish.
File Integrity Rules

There are three types of integrity rules:
Protected files Folders and files that you want to monitor for changes.
Authorized applications Applications which are allowed to modify any

file.
Custom rules Exceptions to any other rules. Custom rules are

processed first.
A file protection rule activates when the protected file is changed, renamed,
or deleted.
Add a Protected File Rule
A protected file rule applies PowerBroker EPP protection on the file.

To create a file integrity rule:
and click Protect.
BeyondTrust
June 10, 2013
188
Retina CS UserGuide

4. Select the File Integrity rule category and select the Protected Files
subcategory to display the associated rules.
5. Select Create New Rule.
a. Specify File/Folder Path
Protect a file
Enter the file that you want to protect.
Protect files inside a directory

Enter folder that you want to protect.
Enter a list of file extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all
folders in the directory.
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
Click Finish.
Add an Authorized Application Rule
An authorized application rule allows an application to access protected files.

To create a file integrity rule:
and click Protect.
4. Select the File Integrity rule category and select the Authorized
Applications subcategory to display the associated rules.
BeyondTrust
June 10, 2013
189
Retina CS UserGuide
a. Specify Authorized Application Path

Enter the caller attributes:
File Path Browse to the executable location for the caller, and
then select the matching type:
Exact Matches only the exact registry key. This is the fastest
matching.
Contains Matches if the pattern is found anywhere in the key.
Not Contains Matches when the pattern is not found.
the slowest matching.
Process Arguments Add process arguments to filter the

scope of the rule.
For example, if the file path is
c:\Windows\System32\svchost.exe, then an argument might be
-k tapisvr. The rule then only applies to the TapiSvr service.
MD5 or SHA1 Enter a hex MD5 or SH1 caller. The MD5 or

SHA1 checksum algorithm is a method for creating a file content
checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended
over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use
MD5 or SHA1 when you can access the file and you are certain
the file does not normally change (for example, due to user
changes or software updates).
BeyondTrust
File Size Enter the file size.
Executable is packed Select True to pack the executable.
File Location Select from: Hard drive, USB, CD ROM and

Network.
Product Name, Product Description, Company Enter the

product information.
June 10, 2013
190
Retina CS UserGuide
Digital Signature Name, Digital Signature Validity Select

the signature parameters.
Process Owner Enter the name of the user account running

the executable.
Alternatively, enter the SID for the process owner.
User Group Enter one or more user groups. If the user

running the executable belongs to one of the listed groups, the
property will match.
Alternatively, enter the SID for the user group.
b. Specify an action
c. Rule Summary
Click Finish.
Add a Custom Rule
A custom rule applies protection on a folder (all files in the folder are
protected regardless of the file type). Files and folders included in the rule
are not included in the scheduled scan.
To create a custom rule:
and click Protect.
4. Select the File Integrity rule category and select the Custom
subcategory to display the associated rules.
a. Specify File/Folder Path
BeyondTrust
Protect a file Enter the file that you want to protect.

June 10, 2013
191
Retina CS UserGuide
Protect files inside a directory Enter folder that you want to

protect. Enter a list of file extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all
folders in the directory.
b. Specify Authorized Application Path

Enter the caller attributes:
File Path Browse to the executable location for the caller, and
then select the matching type:
Exact Matches only the exact registry key. This is the fastest
matching.
Contains Matches if the pattern is found anywhere in the key.
Not Contains Matches when the pattern is not found.
the slowest matching.
Process Arguments Add process arguments to filter the

scope of the rule.
For example, if the file path is
c:\Windows\System32\svchost.exe, then an argument might be
-k tapisvr. The rule then only applies to the TapiSvr service.
MD5 or SHA1 Enter a hex MD5 or SH1 caller. The MD5 or

SHA1 checksum algorithm is a method for creating a file content
checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended
over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use
MD5 or SHA1 when you can access the file and you are certain
the file does not normally change (for example, due to user
changes or software updates).
BeyondTrust
File Size Enter the file size.
Executable is packed Select True to pack the executable.
File Location Select from: Hard drive, USB, CD ROM and

Network.
June 10, 2013
192
Retina CS UserGuide
Product Name, Product Description, Company Enter the

product information.
Digital Signature Name, Digital Signature Validity Select

the signature parameters.
Process Owner Enter the name of the user account running

the executable.
Alternatively, enter the SID for the process owner.
User Group Enter one or more user groups. If the user

running the executable belongs to one of the listed groups, the
property will match.
Alternatively, enter the SID for the user group.
c. Specify an action
Select the action to take when the rule is matched: Allow or Deny.
d. Rule Summary
Click Finish.
Windows Events Rules
You can create a rule that tracks Windows Event logs, including:
Application, System, and Security.
Source Names
The source name is the name of the Windows event.
The source name that you enter depends on the operating system that is
forwarding the events.
Windows XP
Windows 2003
BeyondTrust
Use the name in the Windows Event Viewer Source

column.
June 10, 2013
193
Retina CS UserGuide
Use System-Provider[EventSourceName] on the Details

tab of the event, if available. Otherwise, use [Name].
Vista
Windows 7
Windows 2008
To create a Windows event rule:

and click Protect.
name of the rule group in the text box to search for, display, and select
that Rule Group.
4. Expand Windows Events, and then select: Application, System, or
Security.
Enabled - Select the check box to activate the rule.
One or more Windows event sources must be provided to activate
the rule. Events are only forwarded when a source is provided.
Severity - Select the severity level from the list: Only Errors, Errors
and Warnings, All.
Note that All includes Information events.
Add - Click to provide the following information about the event log
you want to track:
BeyondTrust
Source name The name of the application that issued the

event. See Source Names.
June 10, 2013
194
Retina CS UserGuide

You can enter the source name without providing Event IDs. All
events from the source will be forwarded.
Include Enter the Event IDs to forward to Retina CS.
Exclude Enter the Event IDs to exclude.
Note that the excluded list overrides the included list.

The following example shows a range of event IDs to include and two IDs
in that range to exclude.
5. Click Save.
Trusted List Options
The Trusted List displays trusted malware by name and category.
To access Trusted List rules:
and click Protect.
4. Select the Trusted List rule category.
6. Select a malware name check box and click Save.
7. Click Save.
8. Click Update.
Miscellaneous Options
Miscellaneous options allow you to set rules for Retina CS operations.
To access miscellaneous options:
BeyondTrust
June 10, 2013
195
Retina CS UserGuide

and click Protect.
4. Expand Misc. Options and select a subcategory:
Virus and Spyware
General
System Protection
Scheduler
Auto-Updater
Vulnerability Assessment
Intrusion Prevention
IIS Protection
Firewall
Events
For more information, refer to the Retina Protection Agent User Guide.
5. After you change the properties for a subcategory, click Update.
BeyondTrust
June 10, 2013
196
Retina CS UserGuide

Overview
Creating a Smart Group for PowerBroker Servers Assets
Search Parameters
For detailed information about PowerBroker Servers for Unix and Linux
features, refer to the PowerBroker Servers product documentation.
Overview
Use Retina CS to manage PowerBroker Servers event log records. Configure
Retina CS and PowerBroker Servers to work together to send the event logs
to the Retina CS management console.
After the event log records are sent to the Retina CS database, you can run
reports to analyze your Unix and Linux assets. You can create Smart Groups
based on the argument types to track the event types in the I/O logs.
The event information is used as the source information to determine the
heartbeat of your assets. For example, is the asset running.
Event Types
The event types forwarded to Retina CS, include: Accept and Reject.
Accept and Reject events can help you determine if your assets are sending
events (indicating that the asset is up and running successfully).
Retina CS and PowerBroker Servers Architecture
The following diagram shows how Retina CS and PowerBroker Servers send
information between their respective components.
Secure Retina CS certificates are deployed to the PowerBroker Servers
assets. Apache Solr software is used to index PBUL I/O logs. The indexed
results are forwarded to Retina CS where they can be sorted and viewed.
BeyondTrust
June 10, 2013
197
Retina CS UserGuide
BeyondTrust
June 10, 2013
198
Retina CS UserGuide

On the Assets page, you can review the run arguments and I/O logs
captured for an asset.
PowerBroker Servers events are tied to runhost events. Create your Smart
Groups using runhost as a filter.
You can run reports on PowerBroker Servers assets using Retina Insight.

You can create a Smart Group to organize your PowerBroker Servers assets.
You can set filters based on the PowerBroker Servers assets and the event
types, including user name, command, exit status, and run arguments.
For detailed instructions on Smart Groups, see Working with Smart Rules.
Purge Events
PowerBroker Servers events are purged after 30 days. You can configure the
number of days events remain in the database before purging. See
Maintenance Options.

Use pbreplay, a tool available in PowerBroker Servers for Unix & Linux, to
replay the events logged to that point in time.
You can access pbreplay in two ways from Retina CS:
BeyondTrust
From the Search results page on the Assets page
From the Event Details page
June 10, 2013
199
Retina CS UserGuide

To run pbreplay:
1. On the PowerBroker Servers page, select the i for an asset to review
collected arguments and I/O logs.
2. Click the arrow for an I/O log to start pbreplay.

You can search the index of the PowerBroker Servers I/O logs.
For information about search commands, see Search Parameters.
To search the index of the I/O logs:
1. Log on to Retina CS.
3. Select the Smart Group where the PowerBroker Servers assets reside.
4. Select PowerBroker for Unix & Linux, and then select the Search
tab.
BeyondTrust
June 10, 2013
200
Retina CS UserGuide
5. Select the Solr host your I/O Logs were indexed on from the drop-down
menu "Search Hosts".
Note: In order to allow the Search Window to securely connect to the Solr
Servers, you will need to import the SSL Certificates and Certificate
Authorities correctly on the RCS side. The instructions for
importing the certificates are in the PowerBrokers Servers Install
Guide, under "Post-Install" section of "Solr Installation".
Search Parameters
A query is broken up into terms and operators. There are two types of
terms:Single terms and Phrases. A Single Term is a single word such as "test"
or "hello".
A Phrase is a group of words surrounded by double quotes such as "hello
dolly".
Multiple terms can be combined together with Boolean operators to form a
more complex query (see below).
PowerBroker Servers I/O Log files are indexed on the content of the I/O
Log, as well as the following fields: user, runuser, runcommand, runargy.
You can search any field by typing the field name followed by a colon ":" and
then the term you are looking for.
Examples of search on the event log variables in the I/O Logs:
Table 18.
Basic and Compound Searching
Search Pattern
Finds...
runuser:root
all documents where the runuser was 'root'
user:oracle AND
runcommand:bash
'all documents where the user was 'oracle'

and the runcommand was 'bash'
If you have added custom policy variables to the list of indexed variables
(using the setting 'solrvariables <var>_pbul'in PowerBroker Servers
pb.settings file), you can also search on those variables using the following
syntax in the "Search" field.
BeyondTrust
June 10, 2013
201
Retina CS UserGuide

For example, if you had a policy variable called 'ticketnum_pbul' and added
it to solrvariables to be indexed, you can search on it using the syntax:
Search Pattern
Finds...
ticketnum_
pbul:1523XA5
all documents where the 'ticketnum_pbul'

is set to 1523XA5
You can combine the above queries for eventlogs variables in the query to
search the content of the I/O Logs. For example:
Search Pattern
Finds...
runuser:root AND rm
all documents where the runuser was root

and the word 'rm' was found in the I/O
Log file
You can also narrow down your search using the Start and End time fields.
These dates are in the local time zone of browser (where Retina CS is
accesssed).
Note: These are the date and time where the I/O Log files (sessions) were
created and completed. These are not the date and time when a
secured task was executed by PowerBroker Servers. To search using
the date and time within the I/O Log sessions, refer to Proximity
Search below.
Simple Search Example
BeyondTrust
June 10, 2013
202
Retina CS UserGuide

Compound Search Example
Boolean operators allow terms to be combined through logic operators.

Supported Booleans are AND, OR, and NOT as Boolean operators (Note:
Boolean operators must be ALL CAPS).
The OR operator is the default conjunction operator. This means that if
there is no Boolean operator between two terms, the OR operator is used.
The OR operator links two terms and finds a matching document if either of
the terms exist in a document. This is equivalent to a union using sets.
To search for documents that contain either "cat/etc/passwd" or just
"passwd" user the query: "cat/etc/passwd" OR passwd.
Table 19.
Wildcard matching
Search Pattern
Finds...
grep*
any word that starts with "grep" in the title

field.
grep*someFile
any word that starts with "grep" and ends

with someFile in the title field.
*:*
Everything. All indexed documents

returned.
rm*
any word that starts with "rm" in the title

field.
rm *someFile
any word that starts with "rm" and ends

with someFile in the title field.
P?sswd
any word that start with P followed by any

one letter and ends with 'asswd'
Note: Lucene does not support using * and ? as the first character of a
search.
BeyondTrust
June 10, 2013
203
Retina CS UserGuide

Range Searched
Range Queries allow one to match documents whose field(s) values are
between the lower and upper bound specified by the Range Query. Range
Queries can be inclusive or exclusive of the upper and lower bounds.
Sorting is done lexicographically.
Search Pattern
Finds...
runuser:[Aida TO
Carmen]
all documents whose runuser are between

Aida and Carmen, including Aida and
Carmen
runuser:{Aida TO
Carmen}
all documents whose runuser are between

Aida and Carmen, but not including Aida
and Carmen
Inclusive range queries are denoted by square brackets. Exclusive range

queries are denoted by curly brackets.
AND
The AND operator matches documents where both terms exist anywhere in
the text of a single document. This is equivalent to an intersection using
sets.
To search for documents that contain "cat services" and rm passwd" use the
query:"cat services" AND "rm passwd"
NOT
The NOT operator excludes documents that contain the term after NOT.
This is equivalent to a difference using sets.
To search for documents that contain "rm passwd" but not "cat services" use
the query: "rm passwd" NOT "cat services"
Note: The NOT operator cannot be used with just one term. For example,
the following search will return no results:
NOT "cat services"
Grouping
Use parentheses to group clauses to form sub queries. This can be very
useful if you want to control the boolean logic for a query.
To search for either "rm" or "cat" and "passwd" use the query:
(rm OR cat) AND passwd
Field Grouping
Use parentheses to group multiple clauses to a single field.
BeyondTrust
June 10, 2013
204
Retina CS UserGuide

To search for a runargv that contains both the word "rm" and the phrase "-rf"
use the query:
runargv:(rm AND "-rf")
Escaping SpecialCharacters
Escaping special characters that are part of the query syntax is supported.
The current list special characters are
+- &&||!( ) { } [ ] ^ " ~ * ? : \
To escape these character use the \ before the character. For example to
search for (1+1):2 use the query:
$1\+1$\:2
To search for /etc/passwd use \/etc\/passwd
Proximity Search
The proximity search finds words that are within a specific distance away
from each other. For proximity searches, use a tilde (~) at the end of the
phrase.
Table 20. Proximity matching
Search Pattern
Finds...
"grep someFile"~4
"grep someFile" within 4 words from each

other.
For proximity searches, exact matches are
proximity 0, and word transpositions
(someFile grep) are proximity 1.
By default, PowerBroker Servers indexes a timestamp in the

following format: "2013 04 23 22:10"
This time-stamp appears in the output every time a CR is in stdin.
"2013 04 26 09:20
rm"~100
for rm near today at 09:20 (using Solr's

proximity syntax).
"2013 04 26 rm"~100 expands the search to today.

"2013 04 rm"~100
BeyondTrust
expands the search to April.
June 10, 2013
205
Retina CS UserGuide

Proximity Search Example
BeyondTrust
June 10, 2013
206
Retina CS UserGuide
PasswordSafe
PasswordSafe
Overview
Managing Passwords
For detailed information about PowerBroker PasswordSafe features, refer to

the PowerBroker PasswordSafe product documentation.
Overview
PasswordSafe integrates with BeyondTrust's PowerBroker PasswordSafe.
PowerBroker PasswordSafe is a hardened appliance that creates and secures
privileged accounts through automated password management, encryption,
secure storage of credentials, and a sealed operating system.
Configure PasswordSafe to monitor and manage passwords.
Email notification is configured from the PowerBroker Safe appliance.
Emails are sent during the request and approval process.
To configure PasswordSafe, you must:
Create a connection to your PowerBroker PasswordSafe appliance.
Create user groups that are assigned roles to manage password releases.
Always use Retina CS to edit or delete the following
PasswordSafe items created in Retina CS: users, user
groups, managed systems, collections.
Using the PasswordSafe appliance to manage these items
can result in unrecoverable configuration or synchronization
errors.
BeyondTrust
June 10, 2013
207
Retina CS UserGuide
PasswordSafe

You must create a connection between Retina CS and your PowerBroker
PasswordSafe appliance.
Note: You can only create one connection.
After you create a connection to an appliance, the PasswordSafe tab is
available on the Retina CS page.
To create a connection:
1. In Retina CS, click the Configure tab.
2. Click the PasswordSafe Connections tab, and then click New.
3. Provide the following information for the appliance:
Title Enter a name for the appliance.
Appliance IP Enter the IP address for the appliance.
CLI User The CLI user is generated from the appliance and cannot
be changed.
Key The key is generated on the appliance.
4. After you enter the information, click Test to ensure the connection is
established to the appliance.
5. Click Save.
In the PasswordSafe password release process, there must be user groups
created to manage the following tasks in the process:
Requestor Assign this role to users that can request a password.
Approver Assign this role to your users that will approve password
releases.
Requestor/Approver Assign this role to user that can approve and

request password releases. Note that if you are assigned this role, you
cannot approve your requests.
Information Security Administrator This role is responsible for setting

up managed systems and accounts.
Auditor Assign the Auditor role to run reports in Retina Insight. The
Auditor role can be assigned in combination with other roles available.
No Roles Assign this role to remove any previously assigned roles to a

user group.
Note that you cannot assign roles to the Retina CS administrator.

Roles are only available to PasswordSafe features.
BeyondTrust
June 10, 2013
208
Retina CS UserGuide
PasswordSafe
Note: All changes to PasswordSafe user accounts (users with PasswordSafe
roles assigned) must be managed by the Retina CS Administrator
account.
To create a PasswordSafe user group:
1. Click the Configure tab, and then click the Accounts tab.
2.
3.
4.
5.
Click +, and then Group or Active Directory Group.

Create the group information as usual. See Creating User Groups.
Select a Smart Rule where the PasswordSafe assets will be added.
Select the role to assign, and then click Save.
The role changes are synchronized with the PasswordSafe appliance.
BeyondTrust
June 10, 2013
209
Retina CS UserGuide
PasswordSafe

Note: Only a user group assigned the Information Security Administrator
role can add an asset to PasswordSafe.
You must configure system and connection settings when you add a system
to PasswordSafe. These settings are similar to the PowerBroker
PasswordSafe appliance settings.
To configure system settings:
1. Right-click the asset on the Asset page, and then click Add to
PasswordSafe.
2. Enter the system settings:

System Name Enter a name for the managed system.
Platform Select the platform of the system that you want to

manage.
Network Address Enter the IP address of the managed system.
Default Password Rule Select a password rule. The rule

determines the password requirements (for example, complexity
rules).
Create a password rule in PowerBroker PasswordSafe. Ensure any
password rules that you create are similar to the password rules that
are in place for the platform. You want PasswordSafe rules to be
compliant with the native password rules.
Default Maximum Release Duration Set the length of time

before a released password expires.
Description (Optional). Enter information about the system.
Contact E-mail Enter an email account for email notifications.
Enable Automatic Password Management Select the check

box to activate password management with PasswordSafe.
To configure the connection settings:

1. After you configure the system settings, click the Connection tab.
2. Enter the connection information for the appliance:
BeyondTrust
June 10, 2013
210
Retina CS UserGuide
PasswordSafe
Platform Name The platform of the system.
Network Address Enter the IP address of the managed system.
NetBIOS If the platform is Windows, then enter the NetBIOS

domain name.
Account Type, Account Name, Password Enter the account

credntials used to access the managed system.
Connection Timeout Enter the length of time that passes before

a connection to a managed system times out. Increase the timeout if
connections to the managed systems take longer than usual.
To configure management settings:

1. After you configure the connection settings, click the Management
tab.
2. Select the management settings:
Check Password Select to check the managed account passwords
daily. The stored password is compared to the current password on
the managed system.
Reset Password on Mismatch Select this check box if the

comparison detected differences in the passwords.
If email is configured and this check box is not selected, then an
email notification is sent when a mismatch is detected.
Change Frequency Select how frequently you want to reset a

password.
Change Time Select the time of day to change a password.
Change password after any release Select to automatically reset

a password after the password is released.
Default duration of ISA releases of password Set the length of

time that occurs between the ISA retrieval of the password and the
automatic reset of the password.
Add managed accounts from the managed systems. Add administrator

accounts (such as root or Administrator).
To configure accounts:
1. On the Managed Systems Settings page, click the Accounts tab, and
then click Add.
2. Provide the following information for the managed account:
System Name Provide the name of the managed system where
the account resides.
BeyondTrust
June 10, 2013
211
Retina CS UserGuide
PasswordSafe
Account Name, Current Password Enter the credentials for the

account.
Password Rule Select the password rule. Password rules are

configured on your appliance.
Change password for Windows Services started by this

account Select this check box to update Windows services that
the account runs. For example, if the account you are configuring
here is an Administrator account that runs system services and you
want the services to continue to run uninterrupted with the
password change.
Use this account's current password to change the password

Select this check box for managed systems using Windows XP or
Windows Server 2003 operating systems. Security applied to the
operating systems rely on authentication certificates stored for the
account.
Approvals Required Enter the number of approvals before the

password is released.
Send Release Notification Email to Enter the email address for

the approvers.
Maximum Release Duration Select the maximum length of time

that a requestor can choose for the password release duration.
Enable Automatic Password Changing/Testing Select the

check box to override the system settings. Password changes are
then managed at the account level.
3. Click Save.
Managing Passwords
There are three stages in the password release process:
Requesting a password
Approving a password
Retrieving a password
You must be assigned the Requestor role in Retina CS to request a password
release.
BeyondTrust
June 10, 2013
212
Retina CS UserGuide
PasswordSafe
The Ticket System is managed from the appliance. PowerBroker Safe does
not interact with a ticket system. The ticket information is added for
reference only to track password requests related to a ticket. For more
information, refer to the PowerBroker Safe Administration Guide.
To request a password release:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Click the Request Password tab.
3. Provide the request information, and the click Request Password.
A message is displayed indicating that your request is in the approval

queue. At this point, you can view all of your requests or create a new
request.
An email notification will be sent to you confirming the password
request.
You can review all of your password requests on the Request Password
page. Select the tabs to filter the password requests.
The All filter displays all password requests including pending, expired,
and active.
An Active password is a password that is approved and checked out.
BeyondTrust
June 10, 2013
213
Retina CS UserGuide
PasswordSafe
You must be assigned the Approver role to approve password releases.
There might be more than one approver required depending on how the
managed systems are configured.
To approve a password request:
2. Click the Approve Requests tab.
3. Select a request in the list.
The Approval History displays the number of approvals required and if
any approvals are applied.
4. Click Approve.
BeyondTrust
June 10, 2013
214
Retina CS UserGuide
PasswordSafe
The Retrieve Password button is now available to the original requestor
in the Approval History section of the Approve Request page.
Click Check-in Password at any time to expire the released password.
The password is then no longer available to use.
To retrieve a password:
2. Select the Request Password tab, and then select an account.
3. Click Retrieve Password.
4. Click Highlight Password, and then Ctrl+C to copy the password the
Clipboard.
BeyondTrust
June 10, 2013
215
Retina CS UserGuide

The Regulatory Reporting packs require a license to activate the feature
set. Contact your BeyondTrust representative.
In this section,
Compliance Scans
Healthcare Pack
Finance Pack
Government Pack
You can run regulatory reports to ensure that your assets are in compliance.
Review the following sections to learn more about the compliance scan
templates available, compliance coverage, running a scan, and reviewing scan
results.
BeyondTrust
June 10, 2013
216
Retina CS UserGuide
Compliance Scans
By default the following scan templates are available.
Healthcare, Finance, and Government packs need an updated license key.
ISO-27002 Scans
Compliance
Area
Section 12.6.1 Control of technical vulnerabilities
COBiT Scans
Compliance
Area
Section DS11.6 Security Requirements for Data

Management
Healthcare Pack Compliance Scans

The Healthcare Pack includes a HIPAA scan template.
Contact BeyondTrust for a license key to activate the compliance pack.
HIPAA Scans
Compliance
Area
Section 164.308 Administrative safeguards, (a)(8)

Standard: Evaluation.
Finance Pack Compliance Scans

The Finance Pack includes a SOX and GLBA scan template.
GLBA Scans
Compliance
Area
Section 6801 Protection of nonpublic personal

information.
SOX Scans
Compliance
Area
Section 404 Management Assessment of Internal

Controls.
Government Pack Compliance Scans

The Government Pack includes the FERC-NERC, NIST 800-53 and MASS
201 scan templates.
BeyondTrust
June 10, 2013
217
Retina CS UserGuide

Compliance
Area
CIP-005-3 R4 Cyber Vulnerability Assessment
NIST-800-53 Scans
Compliance
Area
SA System and Services Acquisition; SA-10 Developer

Configuration management
MASS 201 Scans

Compliance
Area
Section 17.03(2)(b)(3) Duty to Protect and Standards for

Protecting Personal Information - Detect and Prevent
Security Systems Failures

The following procedure is an overview on running a scan. For detailed
information on scan options, see Scanning.
To run a compliance scan:
1. Select the asset group and then select Scan.
2. Select the scan template and click Scan.
Ensure the correct license key is applied to activate the compliance
scans.
3. Click Scan.
4. Select the scan options, and then click Start Scan.
BeyondTrust
June 10, 2013
218
Retina CS UserGuide

The following shows report information from the HIPAA Compliance scan.
The summary of the vulnerability details breaks down the vulnerability by
severity.
Scroll through the list of vulnerabilities provided in the report. You can
review remediation fixes, CVSS scores, and additional information for the
vulnerability as shown in the following example from a report.
BeyondTrust
June 10, 2013
219
Retina CS UserGuide

The Configuration Compliance module requires a license to activate the
feature set. Contact your BeyondTrust representative.
In this section,
Managing Benchmarks
The following tools are available to run benchmark scans:
l
XCCDF audit groups. The Secure Configuration Audits audit group

ships with the Configuration Compliance module. Use this audit group
to run your scan.
Benchmark configuration. Import benchmark templates, synchronize
templates, and review versions of benchmark templates that ship with
Retina CS.
Configuration Compliance reports. Includes two reports:Benchmark
Compliance and Benchmark Export.
For information about running a scan, see Running a Scan.

You must create a user group and set permissions for the user group to run
configuration compliance scans.
To create a group and set the permission:
1.
2.
3.
4.
Click the Configure tab, and then click Accounts.

Click + in the User Groups pane to create a group.
Enter a group name and description.
Select the Read and Write check boxes for the Benchmark
Compliance permission.
5. Add an IP range for the group.
BeyondTrust
June 10, 2013
220
Retina CS UserGuide

6. Select attributes (optional).
7. Click Update.
Add your configuration compliance users to the group. See User Accounts.
Managing Benchmarks
Retina CS ships with a default set of benchmark templates. You can import
additional or updated benchmarks, and synchronize benchmarks.
If you are working with your benchmark profiles outside Retina CS, then
you can synchronize the templates using the Retina CS Configuration tool.
To download an editor to change your benchmarks, click the Download
Editor button.
To manage benchmarks:
2. Click the Benchmark Management tab.
3. Expand a benchmark to review more detail.
Policies included with benchmark templates can be inactivated if they do
not apply. Clear policies as needed.
4. To import templates, click Import New Benchmark, navigate to the

file and click Open. To overwrite an existing template click Yes.
You can import .cab or .zip files that include the following:
For Windows 7:
CIS_Windows_7_Benchmark_v1.1.0_oval.xml
CIS_Windows_7_Benchmark_v1.1.0.xml
Windows-7-cpe-oval.xml
Windows-7-cpe-dictionary.xml
For Windows Server 2008:
BeyondTrust
CIS_Windows_2008_Server_Benchmark_v1.1.0_oval.xml
June 10, 2013
221
Retina CS UserGuide
CIS_Windows_2008_Server_Benchmark_v1.1.0.xml
Windows-2008-cpe-oval.xml
Windows-2008-cpe-dictionary.xml

You can store OVAL XML data to the Retina CS database.
If selected, OVAL values used to determine if a rule was compliant are
parsed from OVAL output files and stored in the Retina CS database.
To store OVAL tests in Benchmark reports:
1. Select Options.
2. On the Application Options dialog box, expand Benchmark
Compliance.
3. Select the Yes check box to store OVAL tests.
4. Click Update.
BeyondTrust
June 10, 2013
222
Retina CS UserGuide
Appendix A: Preparing Your Database
Appendix A: Preparing Your Database Application

for Scans
You can set your database applications as targets for scanning.
To ensure that your database can be successfully scanned by Retina, review
the following section on MySQL to prepare your database.
Preparing Your MySQL Database

Review your MySQL settings and ensure the following is in place:
BeyondTrust
Verify the latest GA release of MySQL ODBC driver is installed on the

scanner system.
Go to Administrator tools.
Run Data Sources (ODBC).
Select the Drivers tab.
Search for the MySQL driver.
If no driver is found, then download and install the latest GA

released MySQL driver from the MySQL website.
Ensure a remote connection can be established to the target database

using the mysql tool provided with the MySQL database installation.
June 10, 2013
223
Retina CS UserGuide

You can export asset and vulnerability data from Retina CS to your BMC
Remedy server.
To configure Retina CS, you must:
Create a connector to Remedy.
Create a Smart Group. The parameters configured in the Smart Group

include the assets (and data) that will be exported to the Remedy system.
Your Remedy system must already have forms created to accept asset and
vulnerability information.
Creating a Connector to your BMC Remedy Server

Settings from your Remedy WSDL file are required to create the connector.
Sample data from a WSDL file:
Note: Remedy web service endpoints expect a sortable date format. For
example, 2009-06-15T13:45:30.
However, you can override the default format in the registry with a
valid .NET date format string:
HKEY_LOCAL_
MACHINE\SOFTWARE\eEye\RetinaCS\RemedyExportDateFormatString
View examples of standard date format strings here:
http://msdn.microsoft.com/en-us/library/az4se3k1.aspx
To create a connector:
1. Click the Configure tab, then click the Export Connectors tab.
2. Click +, then click BMC Remedy Connector.
3. Enter a connector name, and a Remedy user name and password.
The connector name can be any name.
BeyondTrust
June 10, 2013
224
Retina CS UserGuide

The credentials for the Remedy system must provide access to the web
service and be able to create requests.
The Active check box is selected by default. Data is only exported when
the check box is selected.
4. Select the check boxes depending on the data that you want to export:
Export Assets, Export Vulnerabilities. You can select both.
5. For the export options, enter the following information:
Web Service URL - defines the location where data will be exported.
Target Namespace - Enter the target namespace from the WSDL file.
SOAP Action - Enter the action as defined in the WSDL file.
Field Mappings - Enter the fields that you want to include in the
export data.
The order of the fields must match the order of the fields in the
WSDL file. Use the arrows to change the order.
6. After you provide the information, click Test to ensure a connection is

established to your Remedy system. Note that the test creates a record in
the Remedy system.
7. Click Update.
BeyondTrust
June 10, 2013
225
Retina CS UserGuide

Assets and vulnerabilities exported are defined in the Smart Group.
To configure the Remedy Smart Group:
1. Configure the Smart Group as usual. See Creating a Smart Rule.
2. In the Perform Actions area, select Export Data.
3. Select the name of the Remedy connector.
4. Select an audit group from the list.
Only vulnerabilities in the selected audit group will be exported. All
vulnerabilities for all assets will be exported if no audit group is selected.
5. Enter the expiration period, in days.

Assets and vulnerabilities (depending on what is defined in the collector
details) are only exported once in the defined expiration period.
However, an item (asset or vulnerability) might be exported more than
once. This might occur if, for any reason, the item is not included in the
Smart Group but then is included again later.
After the expiration period passes, the item is exported again if it remains
in the Smart Group.
6. Click Save.
Exporting the Data

After the Smart Group is created, the data is set to be collected and exported
every hour on the hour.
You can change the default export time in the RemManagerSvc.exe.config
file located in the Retina CS install directory.
View export results in your Remedy system.

Export results or alerts on progress are not shown in Retina CS.
To stop exporting data, clear the Active check box on the Remedy
Connector Details page.
BeyondTrust
June 10, 2013
226

Retina CS Users Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Retina CS Users Guide

Uploaded by

Copyright:

Available Formats

June 10, 2013

June 10, 2013

Reports and Scan Templates

June 10, 2013

Viewing Scheduled Reports in the Calendar View

June 10, 2013

Configuring a Cloud Connector

Setting Retina CS Options

June 10, 2013

Creating a Support Package

II. BeyondTrust Modules

Retina Scanner Agents

PowerBroker for Windows

Patch Management Module

June 10, 2013

Connecting to a WSUS Server

System Center Configuration Manager

Retina Protection Agents

June 10, 2013

Registry Protection Rules

PowerBroker Servers for Unix & Linux

Regulatory Reports Pack

Configuration Compliance Pack

Appendix A: Preparing Your Database Application for Scans

June 10, 2013

Appendix B: BMC Remedy

June 10, 2013

I. Retina CS Management Console

I. Retina CS Management Console

June 10, 2013

June 10, 2013

Retina CS Architectural Overview

June 10, 2013

Generate security certificates to ensure secure transmission of data between

June 10, 2013

Central Policy Server

June 10, 2013

How a Scan Works

Gathered information from the RNSS agent is passed through the

The Retina CS Event Server passes the information to the SQL

June 10, 2013

RNSS and RPA to

Endpoint to Retina CS Version 1 2000

CS to CS for Enterprise 21692

Retina Insight to SQL

How Job Scheduling Works

Create a Smart Rule, includes setting:

Targets are determined by:

Assets that are in the database (Assets are already discovered).

Assets will be discovered if the following are included in the Smart

June 10, 2013

Asset distribution algorithm assigns scanners to assets.

Two .xml files are sent to the Retina scanner agent:

a file that contains job scheduling information

Round robin assignment

June 10, 2013

June 10, 2013

Access the Client Portal

Product Licensing. You can access and manage your product

Documentation. You can access documentation for each product as

Technical Support. You can access knowledge base articles,

June 10, 2013

June 10, 2013

Create an IP address group that organizes assets by a range of IP