Deploying SensorFu Beacon Windows Application with GPO

Sometimes you need to build isolated and strictly restricted environments for special purposes. Typically this is done via strict firewall rules, segregating of VLAN’s or even with air gaps.

From day one, ease of deployment has been our key design goals. This article describes how to make deploying Beacon applications to Windows based infrastructure lightning fast and easy. Ready, set, deploy using Group Policy (GPO).


Pre-requisities and assumptions

Few pre-requisities exist (as usual, right?) — This covers deployment of SensorFu Beacon Windows Application with Microsoft Windows Group Policy.

  • Access to a SensorFu Home and Beacon Application version 3.11.0 or newer.
  • Working knowledge of using Windows GPO to deploy applications. https://support.microsoft.com/en-us/help/816102/how-to-use-group-policy-to-remotely-install-software-in-windows-server
  • Target of installation example used in this walkthrough is Windows Server 2012 R2, as a member server of AD.
  • This example installation covers basic SensorFu Beacon configuration features on GPO.
  • You have already generated SensorFu Beacon Windows Application for your GPO setup from SensorFu home
  • The naming of Beacon should follow required deployment scenario, thus having either name for single deployment (as we do have here) OR named after generic, feasible policy to be altered with MST configuration during the deployment, for larger scale deployment.
  • The Beacon Windows Application is downloaded or transferred by other means feasible for software distribution server.
  • NOTE: You have crafted suitable MSI modifier (MST) for the deployment application if needed (in case of multiple servers as targets, for example).
  • NOTE: SensorFu does NOT, at least at the moment, supply MST configuration modifier file as the deployment is greatly environment dependent.

Step 0: Home — Observations

Pre-requisites ok? Check! So, let’s move on!

In many cases your server (a.k.a asset) is able to talk internet directly or with very little security precautions in mind. This is achieved with various of techniques used to communicate with other hosts, taking one example: DNS.

The screen capture below might resemble how Home Observations UI looked prior Beacon Windows Application deployment to your target server.

FIgure 1: SensorFu Beacon — the Home UI & observations, looks clean!

Step 1: Create new GPO (or use pre-existing one suitable)

Create new GPO (or utilize suitable pre-existing one), define scope & links. This is pretty straight forward. operation, like with any GPO deployable application in mind.

Figure 2: New GPO placeholder for SensorFu Windows Application Deployment

Step 2: Create Package

Define configuration modifications potentially needed by your deployment discipline. This means for example any MSI modifiers you may need.

Important: To deploy SAME Beacon binary on multiple targets (note: You might have created & downloaded binary with hostname in mind), you need to have modification NAME=$env:COMPUTERNAME as part of the msiexec string; e.g. as modifier (on MST modifier file). The name given at build stage is not necessary a hostname.

This adds unique hostname information for each deployment client. So either as part of the installation execution routine (like batch) or as MSI modifier file, you need to tell which Beacon is trying to make a call towards Home.

You can alternatively create & download unique binary for each deployment occasion, but then keep in mind the scope of GPO distribution, e.g. single host, multiple hosts, whole domain etc. As a best practice, use MST modifier crafted as you like (by you or your organization) or alternative means, like batch processing with msiexec.

Figure 3 and 4: Software installation configuration options on GPO

Step 3: GPO Configuration ready!

Now the package is created, assigned, configuration modifications in place and source (e.g where client downloads the package) is downloadable. Remember security! Needed permissions greatly depend WHEN the GPO installation kicks in, as an example: during, after, logoff — situations.

Figure 5: Create share or use pre-existing for deploying app!

Step 4: Update GPO sync. on deployment client

You may wait deployment per defined sync. schedule your AD already has or just manually invoke it to see results (by Microsoft, sync is the best practice). Here shown w/force -option to include all GPO related disciplines. You may have some other GPOs to apply simultaneously.

Figure 6: gpupdate /force (or sync!)

Step 5: Verify GPO’s

After GPO’s are applied, SensorFu Deployment (GPO) is visible on multiple locations, one of them is from GPO tool as shown below.

Figure 7: Check GPO Appliance status

Step 6: Beacon Kicks in!

Verify the service is up (automatic start) on deployment client.

Figure 8: Service is up…the software has been delivered!
Figure 9: Automatic service startup in place

Step 7: Observations UI after Beacon deployment

This is somewhat optional step. You may want to observe immediate results if any leaks (breakout from deployed host) happen.

Figure 10: Observations UI after Beacon Application is deployed…looks like server is leaking out (DNS) !

All done. Test, verify, test again. Deploying to QA or test environment prior actual production use is highly encouraged.


Configuration items & local events

Beacon has 2 files (binary & toml -file for config) under SensorFu — directory.

In case there’s need to verify tests being performed or further utilized by diagnostic systems, auditing or “tripwiring” certain files, you may want to have those files under scope.

Figure 11: Contents of beacon.toml

In addition, SensorFu Beacon Windows Application creates events on WinAppEvents -log.

Figure 12: Event example of local Windows Application Event created by SensorFu Beacon Windows Application

Follow-up Activities

SensorFu Beacon tries to breakout towards Home and when this happens, Home creates Observation. These observations are available for further processing for log management, SIEM or Threat Intelligence.

Typical methods to integrate SensorFu Beacon/Home to SIEM is via syslog or API.

Home allows configuration of multiple syslog target(s). Suggestion: Have your SIEM or log management facility as target.

Some people use Splunk, some adapt other SIEM brand. For Splunk, easy integration can be accomplished with available SensorFu Beacon App for Splunk (in case organization is using Splunk, that is..).

Note: The Splunk App is usable for all Beacon types.

Figure 13: SensorFu Beacon App for Splunk (dev. version screencap)

The app have certain elements available making observations to align with your asset management, threat analysis and further processing of the activities.

The screen capture is from the SensorFu Beacon App for Splunk development version having organizational metadata in form of defined asset locations or VLAN’s and criticality (i.e impact) of the possible breach in place. This is achieved via simple to use reference lookup tables having the elements in place.

These elements include but are NOT limited to:

  • Beacon type (Windows Application, Linux Application, VM, Raspberry Pi)
  • Protected network and/or asset (like Network/VLAN, own naming convention)
  • Criticality