On-premise user guide

This document describes how to sign up and get started with the Nanitor On-premise install. An on-premise installation is hosted at a client side. Please see the on-premise server deployment guide for further information.

The getting started process is in five steps:

  1. Signing up
  2. Creation of an Organization
  3. Data Collection
  4. Setting your Security Baseline
  5. Monitoring

Once you completed the steps described in this guide you will have your IT Infrastructure setup and ready and any configuration changes that occur will be recorded and notification alerts sent.

1. Signing Up

Visit the on-premise Nanitor installation via https to sign up and click "I want to sign up". Fill in the form and the system will send a confirmation to the email address used. Follow the link in the email to complete the registration process.

When the registration is complete the next step is to sign-in.

New user has no association with any organizations. There are two ways to get associated with an organization:

  1. Create a new organization
  2. Another user in the system grants you access to their organization. In this case after a login please wait until a user has granted you access and refresh the page. You will then go straight into the organization page.

2. Creation of an Organization

After a successful login, please fill in the form on the "Create Organization" page.

An example for an organization “My Great Business” would be:

After filling this out the next step is to click “Submit”.

You can also request guest access to the Nanitor test organization, which is used to demonstrate the system. It contains 10 test-devices in an Active Directory domain, which can be reconfigured and contains the historical data from Q3 2014 that can be utilized to get familiar with the system.

As a creator of an organization you have full rights and can grant access to other users. To grant access to other users: click on the icon on the top right corner (which will load the Administration page). Fill in the new user details and select the desired access (either guest or admin) depending on the level or privileges you would like to grant to the user. If the user does not already exist in the system, an account will be created and details sent to the user's email addresses.

A user can be associated with multiple organizations and the current one is listed in the drop-down list near the top-right corner next to the profile. The administration page has a functionality to switch between organizations.

3. Data collection – Installing the Nanitor Agent on your devices

To start data collection you need to set up the “Nanitor Agent” on all devices you want to monitor and associate with the appropriate “Security Benchmark”. The association instructs the device what security settings to send to the server. Each device sends a snapshot of current configuration (that fall under the associated benchmark) the first time after the association, and then every time there is a change in the configuration. As a result, the system has the current configuration at any point in time and the capability to display and perform statistical analysis on the data. All communication between the Agent and the Server is compressed and configured to use HTTPS transport.

To start the data collection on a device, follow these steps:

Signup Key

To successfully sign-up a device to Nanitor, a sign-up key is required. The Sign-Up key can be retrieved by clicking “Reveal Sign-Up key” from the Downloads page.

Microsoft Windows

On the Administration Page -> Downloads to download the “Nanitor Agent” (currently available for 32 and 64 bit Microsoft Windows). The MSI installer and will prompt you for a “Sign-Up” key which you can copy and paste into the field. The installation process will guide you through this.

RedHat / CentOS

First save the sign-up key to a file e.g. /root/signupkey.txt or wherever the device can access it. Then run the following commands as root or prefix with sudo accordingly:

curl -O https://packages.nanitor.com/files/nanitor-agent-centos-stable.repo
mv nanitor-agent-centos-stable.repo /etc/yum.repos.d/
rpm --import "https://packages.nanitor.com/files/gpg.asc"

yum install -y nanitor-agent

/usr/lib/nanitor-agent/bin/nanitor-agent signup --keyfile=/path/to/signupkey.txt
/etc/init.d/nanitor-agent start

Debian / Ubuntu

First save the sign-up key to a file e.g. /root/signupkey.txt or wherever the device can access it. Then run the following commands as root or prefix with sudo accordingly:

wget -O - "http://packages.nanitor.com/files/gpg.asc" | apt-key add -
echo 'deb http://packages.nanitor.com/deb/nanitor-agent/testing/ wheezy main' > /etc/apt/sources.list.d/nanitor.list
apt-get update
apt-get install nanitor-agent

/usr/lib/nanitor-agent/bin/nanitor-agent signup --keyfile=/path/to/signupkey.txt
/etc/init.d/nanitor-agent start

Once the Agent has been installed select “Devices” and verify the device has been added to the list of registered devices. Over the next few minutes the agent will be tested for applicability against various benchmarks and automatically assigned to the appropriate ones. This can be manually changed on the Devices page by selecting an appropriate device and view the benchmark assignments.

After the benchmarks have been assigned it will take a few minutes for the results to arrive and Nanitor has also tracking all changes that fall under the assignments. The results will be reflected on the "Compliance Report Page".

4. Setting your Security Baseline

After analysis of the results collected it may well happen that your organisation is not fully complaint with the best practices. A good example is requiring to change the password every 60 days. Some organizations are not ready to fulfil that requirement and want to exclude it. The security baseline allow you to do just that by excluding that particular rule from the baseline. By setting the baseline you are tuning the system to your needs and letting the system know what really matters to your organization. After the baseline have been set the system measures how well your organization is doing according to Best-Practices and your security baseline. The baseline is defined on a benchmark basis and can be accessed from the Compliance Report page by clicking on an individual benchmark.

The baseline plays a key-part in monitoring of security configuration. When a rule that matters to you is violated, an incident gets created. This forms the basis of integration with your ITIL/Ticketing system of choice.

When results first arrive for a particular Benchmark, a default baseline with the lowest common denominator is created which means your Baseline should be 100% compliant. The idea is to iteratively add more items to the Baseline and improve your organization's security posture.

Few notes:


5. Monitoring

After having set the security baseline we have laid out exactly how we want our systems to be configured. If anything happens on our systems that change that assumption, we want to be notified immediately and the incident escalated to the appropriate personnel. Organizations use ITIL systems to raise tickets that then get assigned to the right personnel. That way everything is documented and tracked within a single system. These systems are different, but have in common that they can watch an email inbox and create incidents based on emails that arrive.

A typical scenario when assumptions change is when a system administrator makes changes to Group Policies and is not aware the change might impact the security posture of the organization. Alternatively, installing software on a device might alter the configuration without the person installing being aware.

When a particular configuration changes to the worse, Nanitor creates an incident, which represents the deviation from the rule. It tracks the lifespan from the first rule deviation to the last point. If a Group Policy causes a particular rule to be broken on 100 devices, the first breakage triggers incident creation and the subsequent ones get appended to it. The system provides good visibility over incidents and its status such as which devices still have unresolved incidents.

The incident gets resolved when the rule is no longer deviating from the baseline set previously on any of the associated devices. Another way to resolve the incident is be to remove it from the baseline. The point is that the organization can make a well-informed decision how and when they resolve a particular incident.

Nanitor aims to integrate with existing systems instead of reinventing the wheel. Therefore when an incident is created, we support notifications via email that snaps right into the ITIL system. It also means if the organization doesn’t have an ITIL system they can simply watch the email inbox.

The lifecycle of an incident prevents information and notification overflow as when a particular rule breaks on many devices simultaneously, only one incident gets created and only one notification sent.

The email representing the incident is thorough and describes exactly what rule has been broken and what the impact is. It contains a reference to the Nanitor system, which can be clicked to get more detailed information.

To activate monitoring and e-mailing of notification reports:

Enter the Administration Page -> Notifications, Click "Add recipient", add the email address and select “Benchmark Incident Created” and click “Save”

For each benchmark you want to enable notifications for enable it in the "Benchmarks enabled" list. This provides the functionality to enable/disable notifications on per-benchmark basis. By default it is disabled.

6. Integration with existing infrastructure

We aim to integrate as much with other infrastructure organizations have as possible: