Saturday, April 4, 2015

Correct Share Settings for Adding a Server in Varonis

When adding servers to Varonis, under the Shares tab select the highest level shares that Varonis has access to.  In addition, there is an option to Automatically detect shares.  This should be set to “Detect and Notify” and the “Notify” option should be set to once.  That way, whenever a share is added to a server an email will go out indicating that fact.  At that point, if it is a new volume or new top-level share, you can go back into the Management Console and add that volume.  Do not automatically monitor shares, as this may pick up devices such as CD drives or shares that should not be monitored, such as backup shares.

Friday, February 6, 2015

Removing Disabled Users from the Varonis Permissions Report

One of the most commonly used reports in Varonis DatAdvantage is the “4b - Effective Permissions for User or Group” report.  This is used to list all of the groups and users that have access to a particular folder.  One of the challenges that we faced at a particular customer was that the business people did not want to see the disabled users who had access to the folder.  There is a filter, “Disabled Accounts,” that lets you exclude them.  However, if you just add that filter it removes all of the groups that have access to the folder.  Thanks to Kevin Cyr for asking me if there is a way around this.  Indeed, there is!  Here is a screenshot that handles the problem, which is that the groups do not have the “Disabled Account” property in Active Directory so they are excluded by the standalone “Disabled Accounts” filter.

Monday, September 1, 2014

Identify Servers with Duplicate SIDs in Varonis

One of the challenges in managing a multitude of Windows servers is that Microsoft allows more than one server to has the same SID within a domain.  This usually results because people clone an existing server and then change the name.  Varonis DatAdvantage uses the SID as a unique identifier for the server in some portions on its system.  The primary impact is in managing local groups.  So if we have two or more servers in DatAdvantage with the same SID, only one of them will correctly collect and report on the local security groups, such as the Administrators group.  We can identify these servers by running a SQL Server Query from the IDU server.  Here is the query.

use vrnsDomainDB;

select filer_hostname,filer_ipaddress,filerIdentity from filers where fileridentity in (select filerIdentity from filers Group By  filerIdentity having (COUNT(filerIdentity) > 1)) order by filerIdentity

Sunday, June 22, 2014

Varonis Troubleshooting: RPC Failures

In Varonis DatAdvantage the Probe and monitored Windows file server communicate using the RPC services.  When events are not being collected or the Probe cannot reach the Windows server one place that you look to troubleshoot the problem is the Windows event log on the Probe.

If we receive the error message that the RPC server is unavailable, how go we go about discovering the root cause of the problem?  PORTQRY is a tool from Microsoft that allows you to test connectivity from one server to another.  To test connectivity to a monitored server, go to the Probe or Collector that is attempting to collect events or run the file walk and failing.  Run the following command:

portqry –n ServerName –p TCP –e 4972

The command should be able to:

1)    Resolve the host name
2)    Connect to the port 4972 (which Varonis uses to connect to the service)
3)    See that the port is in Listening state.

If the response is Filtered than there is a firewall or some other service blocking the connection.  If the response is Not Listening than the Varonis Filer Logger is not running or has errors.  At that point, go to the server and check the status of the service. 

Tuesday, October 8, 2013

Using Varonis to find misconfigured Exchange mailboxes

One of the wonderful features of Varonis DatAdvantage is the 3d-Users and Groups List report.  On the surface it is just a list of all of the users and groups in the domain, but with the creative use of filters and the Extended Properties, you can answer a lot of useful questions.

For example, during the migration of mailboxes from Exchange 2003 to Exchange 2010, there are mailboxes where certain attributes may not be updated correctly and will become obvious once the old Exchange server is shut down  One of these is the user's homeMTA.  If you look at the field it will be something like this.

CN=Microsoft MTA\0ADEL:097a9a78-54ae-4d27-a101-5daf2d0a30b5,CN=Deleted Objects,CN=Configuration,DC=Company,DC=com

As you can see, the MTA is listed as being deleted and needs to be corrected.  One way to identify these in Varonis is to used the 3d report.

First we have to add homeMTA to the Extended Properties.  As the Active Directory attributes are typically pulled once a night, we need to run the AD Walk and then the Pull AD jobs manually.

Then we can move on to reporting in 3d and develop a query like this:

The key component is to look for the "DEL" phrase in the homeMTA field.

Run this report and now you have a list of mailboxes to fix.

Once again, the 3d-report can be your best friend.

Tuesday, May 28, 2013

Creating a Folder List for Varonis DatAdvantage

For some of the reports within Varonis DatAdvantage, such as 4b, Varonis has the ability to accept a list of folders to process.  This file consists of two fields separated b the pipe “|” character.  When a folder list is generated by the 4f report from within DatAdvantage, the fields are separated by a comma.  This is true even if the default separator is set to "|" in the control panel.  In addition, when a NetApp folder is enumerated the path is separated by the “/” character like a UNIX folder, however the Folder list only accepts the “\” character in the path.  Here is a Powershell script that will clean up the issues with the folder list generated by the 4f report.

$OutAll = @()
$Infile= Import-Csv "C:\VaronisPublic\Varonis Output\output.csv"
foreach($line in $Infile)
$OutLine = New-Object System.Object
$OutLine | Add-Member -type NoteProperty -Name FilerName -value $line.FilerName
$a = $line.AccessPath -replace "/", "\"
$OutLine | Add-Member -type NoteProperty -Name AccessPath -value $a
$OutAll += $OutLine  
$OutAll |Convertto-csv -Delimiter "|" -NoTypeInformation  | % { $_ -replace '"', ""} | out-file "c:\VaronisPublic\Varonis Output\outfile.csv" -fo -en ascii

Wednesday, February 13, 2013

Varonis Data Governance Awards

With so many data breaches and negative stories coming out of the information security world, it is nice to see some positive news.  A new thing that Varonis Systems introduced this year was the "Data Governance" awards for customers that made outstanding use of the the DatAdvantage platform and improved the security processes around their unstructured data.  I was proud to be a judge and see the wonderful progress that many organizations are making.  See the award winners here