METADATA FRAMEWORK 6.3. Installation Prerequisites and Requirements

Transcription

1 METATA FRAMEWORK 6.3 Installation Prerequisites and Requirements

2 Publishing Information Software version Document version 6 Publication date February 26, 2018 Copyright Varonis Systems Inc. All rights reserved. This information shall only be used in conjunction with services contracted for with Varonis Systems, Inc. and shall not be used to the detriment of Varonis Systems, Inc. in any manner. User agrees not to copy, reproduce, sell, license, or transfer this information without prior written consent of Varonis Systems, Inc. Other brands and products are trademarks of their respective holders.

3 CONTENTS Chapter 1: Introduction... 1 Installation of Microsoft Hotfixes and Patches... 1 Related Documentation...1 Chapter 2: Software Requirements...2 Chapter 3: Requirements for Monitored Resources...27 AIX...27 Azure Active Directory...28 Dell FluidFS EMC NAS Exchange On-Premises...31 Exchange Online...34 Hitachi NAS HP-NAS...35 IBM Storwize IBM Spectrum Scale (GPFS) Linux Local Machine Account NetApp...38 Samba Shares (CIFS on Unix)...39 Scality RING...40 SharePoint On-Premises...40 SharePoint Online...41 Sun Solaris/Open Solaris...42 Unix Directory Services Windows Windows Directories...45 Windows Directory Services (Active Directory) Chapter 4: Installation and Security Notes SharePoint Load Balancing...47 Issues and Limitations Required Credentials...49 Required Security Policies...55 Chapter 5: Supported Events CIFS NFS SharePoint On-Premises Events SharePoint Online and OneDrive Events...69 Exchange On-Premises Events Directory Services Events DatAdvantage Object Types DatAdvantage Operations...75 Platforms Supporting IP Address/Hostname METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS iii

4 CONTENTS Chapter 6: General Architecture...83 Chapter 7: Metadata Framework Ports and Protocols Chapter 8: Backup and Archiving Recommendations Chapter 9: Permissions and Service Accounts - FAQ METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS iv

5 1 INTRODUCTION The Varonis Metadata Framework is an analytic software-based solution for data usage management. With the Metadata Framework, organizations can see, understand, and manage who is using data, to control data access and enforce compliance with data usage policy to meet business needs. The Metadata Framework addresses the growing need for data usage regulation within organizations, enabling full visibility and accountability of data usage across legal, financial, data security, intellectual property, and data privacy requirements. To enable developing such a thorough understanding of an organization's data, several Metadata Framework components and features require Windows file and printer sharing: Data Classification Framework (DCF) Commit Engine Data Transport Engine Installer Installation of Microsoft Hotfixes and Patches Before beginning any installation or upgrade, it is strongly recommended to ensure the most updated Microsoft hotfixes and patches that suit your server versions are installed on each server. Related Documentation Metadata Framework Installation Guide User Guide METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 1

6 2 SOFTWARE REQUIREMENTS The following table summarizes the software requirements for each component of the Metadata Framework. Note: For information about database sizing, CPU speed, disk space and other hardware requirements, contact Varonis Professional Services or your Varonis System Engineer. Note: It is recommended to ensure English is installed on all Varonis servers, in addition to local languages. Component Required Software Versions Notes Collectors Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 2

7 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) For Exchange Online/SharePoint Online/Azure Active Directory: 4.5 (or higher) For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 4.0 (with 3.5 SP1 or higher installed as well), installed on all nodes A file server services group defined on the cluster for Varonis DatAdvantage User Interface Windows - Any of the following: 2003 SP R2 SP1 XP (any SP) 2000 SP R R Vista Local languages must be installed on the IDU Server in order for them to appear in the user interface. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 3

8 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) Data Classification Engine For Data Classification Labelling, see the Notes column. All Probes/Collectors should be connected to the internet. If not, see the procedure in the next row. Azure Information Protection (AIP)/Azure RMS SSO must be configured on all domains. If an Active Directory (AD) Rights Service (RMS) server is installed: Active Directory RMS Single Sign-On (SSO) must be configured on all Collectors/Probes. RMS SDK 64-bit version must be installed on all Collectors/Probes. The RMS super user must be configured with the following requirements: Capable of performing AIP and Active Directory RMS SSO as mentioned above - on all Collectors/Probes. Permissions on all Azure keys If AD RMS server is installed the user mush have permissions on all AD RMS keys contained in the AIP labels or must be AD RMS super user. Must be a dedicated Active Directory user (will be excluded from event monitoring) Each filer user must have (at least) the following permissions: Modify Change permissions Take ownership Backup Operator privileges METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 4

9 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes Azure AIP must be installed on each Collector/ Probe Hardware requirements in Collector/Probe Minimum of 8 cores - must be higher if DTE is installed In Data Classification Labelling, if the Probe/Collector has no internet connection: Note: MS Azure must be connected to the internet to work. 1. From the MS Azure portal, export the policy file (policy.msip) to this location: %localappdata%/microsoft/msip Note: If this file already exists there, replace it. 2. In the registry, go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft \MSIP 3. Set the following parameter: EnablePolicyDownload = 0 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 5

10 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes DatAlert Analytics Windows Server Any of the following: 2008 R SP R Must be a 64 bit server. In addition, for Windows Server 2012 R2: 1. Install Microsoft KB Install Microsoft KB These KBs must be installed in the following order: 1. clearcompressionflag.exe 2. KB KB KB KB KB KB METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 6

11 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) For cluster installation: Windows Server cluster comprised of Windows 2012 or 2012 R2.NET Framework 4.0 (with 3.5 SP1 or higher installed as well), installed on all nodes A file server services group defined on the cluster for Varonis DatAlert Web UI Windows Server - Any of the following: 2008 R SP R Microsoft.NET Framework 4.5 Browsers Internet Explorer 10 and higher Mozilla FireFox 33 and higher Google Chrome 38 and higher Apple Safari 7 and above Internet Explorer 9 and lower are not supported. Internet Explorer Compatibility mode is not supported. DatAnswers Windows Server 2008 R2 or Windows Server 2012 R2, 64-bit environment only JRE (Java Runtime Environment) 7 or bit IIS 7.5, 8, 8.5, 10.NET 4.0, 4.5 If DatAnswers was purchased separately (i.e., without a DatAdvantage license), DatAdvantage must be installed prior to DatAnswers installation. A user that is part of one domain will be able to search on other domains only if there is a trust METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 7

12 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes between the two domains and both domains are monitored in DatAdvantage All servers must be located on the same LAN All search nodes and state managers must have Java installed IIS 6 backward compatibility must be defined on Windows 2008 and Windows 2008 R2 IIS 6 Compatibility components must be installed on the machines on which the IDU Server and DatAnswers reside. The components must also be installed on Windows 2008 and Windows 2008 R2. DatAnswers does not support a Safari extension. The DatAnswers add-on is not supported on FireFox version 57 and onward. SharePoint links will continue to work properly as they do not require using the add-on. Data Sync Unit: Data Sync Unit share must be a CIFS share, preferably placed on a cluster server Data Sync Unit disk must have sufficient free space Classification service must be installed on all Probes and Collectors If Internet Explorer 9 is in use, as well as an IP address for DatAnswers (as opposed to the server name), the IP address must be added to the list of local intranet sites in the Internet Explorer security settings. Log on as a batch job policy: The policy setting must include at least one of the following values: METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 8

13 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes The IIS_IUSRS local group, responsible for IIS application pools The user running the Varonis DatAnswers IIS application pool One or more groups of which the user running the Varonis DatAnswers IIS application pool is a member Important: The user accounts configured in the Log on as a batch job policy setting must not be configured in the Deny log on as a batch job setting. Any user or group that is added to the Deny log on as a batch job policy setting will not be able to access DatAnswers. DataPrivilege Database Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R For DataPrivilege and DatAnswers, IIS 6 backward compatibility must be defined on Windows 2008 and Windows 2008 R2 or higher. TLS 1.1 and 1.2 are supported, for the connection between DataPrivilege and the database. Local languages must be installed on the IDU Server in order for them to appear in the user interface. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 9

14 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 or higher Microsoft SQL Server - Any of the following: 2008 Standard or, with SP3 and above 2008 R2 Standard or, with SP3 and above Not supported in Metadata Framework x or higher 2014 Standard or, with or without SP1. SP2 is supported. Due to a Microsoft limitation, it is recommended to use Internet Explorer 8 or higher to enable reporting services if SQL Server 2008 or 2008 R2 is installed. Note: Cumulative Update 6 is also required For See Microsoft KB SP1 or higher For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 3.5 with SP1, installed on all nodes Microsoft SQL Server cluster comprising: 2008, with SP1 or SP R2, with or without SP Not supported in Metadata Framework x or higher METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 10

15 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes Microsoft Distributed Transaction Coordinator (DTC) must be configured as a clustered service DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. DataPrivilege Services Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R Local languages must be installed on the IDU Server in order for them to appear in the user interface. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 11

16 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 or higher IIS 8, 8.5, 10 For DataPrivilege and DatAnswers, IIS 6 backward compatibility must be defined on Windows 2008 and Windows 2008 R2 or higher. TLS 1.1 and 1.2 are supported, for the connection between DataPrivilege and IIS. For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 4.0 (with 3.5 SP1 or higher installed as well), installed on all nodes A file server services group defined on the cluster for Varonis DataPrivilege web application Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R For DataPrivilege and DatAnswers, IIS 6 backward compatibility must be defined on Windows 2008 and Windows 2008 R2 or higher. Local languages must be installed on the IDU Server in order for them to appear in the user interface. The DataPrivilege web application cannot be installed on a cluster. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 12

17 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 If DataPrivilege or DatAnswers is installed - IIS 6.0 and above with ASP.NET and COM+ METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 13

18 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes Browsers for use with DataPrivilege Internet Explorer Mozilla FireFox 26 and higher Google Chrome 32 and higher Microsoft Edge 38 Screen resolution 1024 x x x x x 1080 DataPrivilege Bulk Upload Utility If installed on the same machine as DataPrivilege, the same prerequisites are needed. If installed on different machine than DataPrivilege, SQL Server Compact Edition 3.5 SP 2 must be installed on the same machine. The UAC must be disabled; otherwise, the database user must have Modify permissions for the Bulk Upload Utility's installation folder. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 14

19 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes IDU The IDU must be installed on a Microsoft Windows Active Directory Domain server. Other configurations are not supported. IDU Database Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. The IDU Server must reside on Windows Server 2008 R2 or above in order to install an Azure Active Directory domain. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 15

20 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 For Azure Active Directory: 4.5 (or higher) Microsoft SQL Server - Any of the following: 2008 Standard or, with SP3 and above 2008 R2 Standard or, with SP3 and above Not supported in Metadata Framework x or higher 2014 Standard or, with or without SP1. SP2 is supported. Note: Cumulative Update 6 is also required For See Microsoft KB SP1 or higher METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 16

21 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 3.5 with SP1, installed on all nodes Microsoft SQL Server cluster comprising: 2008, with SP1 or SP R2, with or without SP Not supported in Metadata Framework x or higher Microsoft Distributed Transaction Coordinator (DTC) must be configured as a clustered service DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 17

22 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes IDU Reporting Server Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R Regional settings on the IDU machine and the Reporting Services machine must be the same. The IDU Reporting Machine cannot be installed on an SQL cluster. To prevent a security loophole in which all of the Metadata Framework data could be viewed by unauthorized persons, the Metadata Framework changes the authentication and authorization methods of the Reporting Services installation to its own methods. Therefore, other applications may have issues if installed in the same Reporting Services installation. To enable sending notifications, an SMTP Server must be defined. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 18

23 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 or higher Microsoft SQL Server - Any of the following: 2008 Standard or, with SP3 and above 2008 R2 Standard or, with SP3 and above Not supported in Metadata Framework x or higher 2014 Standard or, with or without SP1. SP2 is supported. Note: Cumulative Update 6 is also required For See Microsoft KB SP1 or higher Due to a Microsoft limitation, it is recommended to use Internet Explorer 8 or higher to enable reporting services if SQL Server 2008 or 2008 R2 is installed. For reporting purposes, only the following languages are supported for the SQL Server: English German Russian Chinese IDU Services Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 19

24 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) If DataPrivilege or DatAnswers is installed - IIS 6.0 and above with ASP.NET and COM+ OR IIS 7.0 with IIS 6.0 compatibility enabled For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 4.0 (with 3.5 SP1 or higher installed as well), installed on all nodes A file server services group defined on the cluster for Varonis Installer - The server on which the Installer runs must have: Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R For DataPrivilege and DatAnswers, IIS 6 backward compatibility must be defined on Windows 2008 and Windows 2008 R2 or higher. Metabase 6 compatibility must be enabled in order to configure IIS 6 on Windows METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 20

25 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) If DataPrivilege or DatAnswers is installed - IIS 6.0 and above with ASP.NET and COM+ Probe Database Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 21

26 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 Microsoft SQL Server - Any of the following: 2008 Standard or, with SP3 and above 2008 R2 Standard or, with SP3 and above Not supported in Metadata Framework x or higher 2014 Standard or, with or without SP1. SP2 is supported. Note: Cumulative Update 6 is also required For See Microsoft KB SP1 or higher METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 22

27 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 3.5 with SP1, installed on all nodes Microsoft SQL Server cluster comprising: 2008, with SP1 or SP R2, with or without SP Not supported in Metadata Framework x or higher Microsoft Distributed Transaction Coordinator (DTC) must be configured as a clustered service DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. Probe Services Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 23

28 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 4.0 (with 3.5 SP1 or higher installed as well) Probe services may reside on a Probe or a Collector. For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 4.0 (with 3.5 SP1 or higher installed as well), installed on all nodes A file server services group defined on the cluster for Varonis Shadow Server Windows Server - Any of the following: 2003 with SP1 / SP R2 with SP1 / SP without SP or with SP1 / SP R2 without SP or with SP R METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 24

29 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes.NET Framework 3.5 with SP1 or higher Microsoft SQL Server - Any of the following: 2008 Standard or, with SP3 and above 2008 R2 Standard or, with SP3 and above Not supported in Metadata Framework x or higher 2014 Standard or, with or without SP1. SP2 is supported. Note: Cumulative Update 6 is also required For See Microsoft KB SP1 or higher METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 25

30 Chapter 2 SOFTWARE REQUIREMENTS Component Required Software Versions Notes For cluster installation: Windows Server cluster comprised of Windows 2008 or 2008 R2, with or without SP1/SP2, or Windows 2012.NET Framework 3.5 with SP1, installed on all nodes Microsoft SQL Server cluster comprising: 2008, with SP1 or SP R2, with or without SP Not supported in Metadata Framework x or higher Microsoft Distributed Transaction Coordinator (DTC) must be configured as a clustered service DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 26

31 3 REQUIREMENTS FOR MONITORED RESOURCES The Metadata Framework monitors activity on various servers and platforms. To ensure success, Varonis requires specific versions and installations on the monitored server. The following tables summarize these requirements for every supported platform. Note: NFS v2 and v3 are supported. SMB v2 and v3 are supported. For more information, see Permissions and Service Accounts - FAQ. AIX Supported Versions AIX-powerpc-64 AIX-5300-powerpc-64 AIX-6100-powerpc-64 AIX-7100-powerpc-64 Varonis Installation and Requirements N/A Security Requirements SSH-based - User with list credentials on all directories to be enumerated (for example, root, or a user that is a member of all groups) Notes SSH must be enabled on the default port. For AIX servers having EMC powerpath version 5.7, installing the Metadata Framework agent can be problematic as the server is rebooted. The solution is to upgrade EMC powerpath from 5.7 to 6.1. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 27

32 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Azure Active Directory Varonis Installation Requirements The IDU Server must reside on Windows Server 2008 R2 or above Microsoft.Net Framework 4.5 or above must be installed on the IDU Server To collect events on Azure Active Directory domains, the user must: Create an Azure Active Directory application that subscribes to the Activity Feed notifications. Edit the file server and configure the Event Collection Settings in the. Have a valid Microsoft Azure subscription Security Requirements The ADWalk user account must have a sign-in status of Allowed in the Office 365 portal Notes The mapping between the local Active Directory and the Azure Active Directory is done according to the default mapping by Microsoft: Users are mapped via objectguid Groups are mapped via objectname For event collection, the following hosts must be reachable: manage.office.com login.windows.net The ADWalk job for Azure must be able to reach the following URLs: provisioningapi.microsoftonline.com Dell FluidFS Supported Versions FluidFS MR510 FluidFS CIFS events only Varonis Installation and Requirements N/A Security Requirements The FileWalk user must be a domain user with access to the monitored SMB shares. Read-only access for root is required for NFS shares. EMC NAS Supported Versions Celerra RT METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 28

33 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Note: RT 8 or higher is required for filtering false Open events or higher is recommended 6.x 7.x For NFS event collection or higher Isilon OneFS or higher 7.2 or higher - includes NFS events 8.0.x - includes NFS events includes NFS events Unity Unity 4.1 Unity Family VMax EMC VMax enas (CIFS only) VNX VNX (aka VNX2 series) VNXe Other CEE Framework 6.x 7.x 8.x For CIFS event collection and up For NFS event collection and up EMC Celerra CIFS Snap-In Varonis Installation and Requirements Celerra/VNX/Unity At least one CIFS server must be defined on the physical data mover to enable CEPP to start. Optional CEPA server on a dedicated machine A Windows server capable of running the Celerra Event Enabler (CEE) Framework package. Isilon Optional CEPA server on a dedicated machine A Windows server capable of running the Celerra Event Enabler (CEE) Framework package. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 29

34 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Celerra/VNX/Unity Security Requirements Crawling: NTFS - User with permissions to view all file system directories and their permissions (administrator or backup operator and power user) Unix, NFS-based - UID that is defined with read permissions on exported volumes. UID=0 must be honored from the Probe machine. Event collection: Windows The log and audit processes will not collect Rename and Rename Directory events unless the CEPA method is selected. Unix CEPA is required. A control station is optional. If one is defined, a user is required that can use SSH to access it and who is a member of the nasadmin group. A Varonis service account (domain user) with local administrator credentials on the server running the CEE Framework. Isilon Security Requirements OneFS versions x - The Varonis FileWalk service account requires: Membership in the cluster's Local Administrator group "Run As Root" permissions on an appropriate top-level SMB share for which all data to be indexed is a child object. If the service account cannot be granted Run As Root to the share(s) permissions, then the service account must be explicitly assigned with file system permissions to all unique objects within the directory tree; otherwise, Access Denied errors may be encountered. OneFS versions x and 7.2.x - The Varonis FileWalk service account requires: Membership in the cluster's Local Administrator group Membership in the BackupAdmin role, which can be configured within the OneFS WebUI. Read rights on an appropriate top-level SMB share for which all data to be indexed is a child object. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 30

35 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Crawling Unix, NFS-based - UID that is defined with read permissions on exported volumes. UID=0 must be honored from the Probe machine. Event collection: CEPA is required. Notes Celerra/VNX/Unity Auditing is enabled by selecting the Event log (Windows) auditing option in the Celerra dialog box. Data Movers must have the CIFS server configured, so that the CEPP service can be enabled. If the FTP protocol is used to move or modify files, no event activity will be collected. Isilon For Isilon versions lower than If the NFS or FTP protocols are used to move or modify files, no event activity will be collected. For Isilon 7.2 and higher - If the FTP protocol is used to move or modify files, no event activity will be collected. Isilon supports both CIFS and NFS events (NFS is supported from Isilon 7.2 and higher). Exchange On-Premises Attention: DatAdvantage supports only manual editing for Exchange storage groups; it does not provide recommendations. Supported Versions Exchange 2003 Post-SP2 Build Build Build Build Exchange 2007 SP3, build 8.3.x Exchange 2010 SP1, build 14.1.x Exchange 2010 SP2, build 14.2.x Exchange 2010 SP3, build 14.3.x Exchange 2013, build 15.0.x Exchange 2013 SP1, build 15.0.x Exchange 2016 Supported Protocols MAPI (Messaging API) OWA (Outlook Web App) METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 31

36 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Additional protocols - Support must be explicitly enabled in 2010 (in 2013 and 2016, these protocols are always enabled): EWS (Exchange Web Services) ActiveSync IMAP4 POP3 Varonis Installation and Requirements 2003, 2007, 2010:.Net Framework 3.5 with SP1 or higher must be installed on the Exchange server. For 2010, it must be installed on the CAS on which the Commit agent is installed. 2013:.Net Framework 4.0 must be installed on the Exchange server on which the Commit agent is installed. Note: Note that the Metadata Framework itself requires.net Framework 4.0. Security Requirements Installation requires: A user who is a member of: 2003: Exchange Full Administrator role 2007: Exchange Organization Administrators 2010: Exchange Organization role 2013: Exchange Organization role 2016: Exchange Organization role Local administrator on all the servers on which auditing agents are installed: 2003: Mailbox servers (MBX) 2007: Mailbox servers 2010: Client Access Servers (CAS), mailbox servers (MBX) 2013: Mailbox servers (MBX), for both mailboxes and public folders 2016: Mailbox servers (MBX), for both mailboxes and public folders Permissions to Active Directory (2007/2010/2013, 2016 only) - Member of Account Operators or Domain Admins Note: For Exchange 2003, the installation user can be either an Exchange Full Administrator or a Domain Admin. For Exchange 2013 and 2013 SP1 - The Exchange 2013 server certificate must also be present on the Probe and Collector servers to enable connection. For Exchange The Exchange 2016 server certificate must also be present on the Probe and Collector servers to enable connection. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 32

37 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Permanent file server user (for FileWalk/Probe): Simple user (a new one can be created) Power users on each server on which the agent is installed: 2003: Mailbox servers (MBX) 2007: Mailbox servers 2010: Client Access Servers (CAS), mailbox servers (MBX) 2013: Mailbox servers (MBX), for both mailboxes and public folders 2016: Mailbox servers (MBX), for both mailboxes and public folders A separate user for installation can be defined in the Agent Deployment dialog box. The Installer gives the user account the following permissions on the Exchange Server: List contents Active Directory permissions on and under the CN=<organization name> node Administer Information Store for the MAPI FileWalk user on each monitored mailbox database (can be assigned for the CN=<organizationname> node). Commit credentials For changing mailbox permissions: 2003: N/A 2007: Exchange Organization Administrator role 2010: Exchange Organization role 2013: Exchange Organization role For changing sharing permissions: 2003: N/A 2007: Exchange Recipient Administrator role, Owner permission level on the folder or Full Access on the mailbox. 2010: Exchange Recipient Administrator role, Owner permission level on the folder or Full Access on the mailbox. 2013: Exchange Recipient Administrator role, Owner permission level on the folder or Full Access on the mailbox. Local administrator on the CAS on which the Commit agent will be run To enable running the commit process on public folders for specific users, the users must added to Exchange Admin Center > Public Folders > Folder Permissions > Manage. PowerShell - To collect PowerShell events, the Exchange FileWalk user must be a Power User on all Exchange 2010 servers in the organization (the forest in which the Exchange file server's domain resides) to enable the Probe to connect and read events from the server's event log. Notes Auditing is performed on: 2003: Mailbox servers (MBX) 2007: Mailbox servers 2010: Client Access Servers (CAS), mailbox servers (MBX) METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 33

38 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES 2013: Mailbox servers (MBX), for both mailboxes and public folders 2016: Mailbox servers (MBX), for both mailboxes and public folders 2013 only: Exchange's autodiscover service must be enabled on the 2013 environment so that ADWalk can be performed successfully. 2013: Ensure the Exchange 2013 server certificates are present on the Probe/Collector servers to allow FileWalk to connect properly. Certificates for auto-discover and RPC MAPI over HTTP endpoints are required. The authentication mechanism configured in the commit service must match that which is configured in the IIS. DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. Exchange Online Varonis Installation and Requirements The Probe or Collector connected to Exchange Online must reside on Windows Server 2008 R2 or above Microsoft.Net Framework 4.5 or above must be installed on the Probe or Collector PowerShell 3.0 or higher Security Requirements The FileWalk user must be assigned the following Office 365 roles: ApplicationImpersonation Exchange Online administrator The FileWalk user must be mailbox-enabled Important: It is recommended that the FileWalk user account be different than the one used for SharePoint Online. To enable FileWalk to run successfully, the Make this person change their password the next time they sign in option must be cleared for the FileWalk user. Notes The IDU Server and Collector that monitor Exchange Online must both have access to the following URLs: Hitachi NAS Supported Versions and higher METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 34

39 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Varonis Installation and Requirements Auditing must be enabled on the Hitachi NAS server (this can be done through the HDS server console). Security Requirements A regular domain user is required with sufficient permissions to view the file system log. For FileWalk - either a member of the Administrators group and/or a user with Backup Operator privileges is required. Notes Only successful operations are monitored. Access Denied events are not supported. Only CIFS events are supported. If the NFS protocol is used, no event activity is gathered. HP-NAS Supported Versions IBRIX version tested -l (X9000_5_5) Note: Contact Varonis Support for information regarding higher supported versions. Varonis Installation and Requirements N/A Security Requirements Windows - User with backup operator and power user privileges Notes N/A IBM Storwize Supported Versions v7000 Unified Varonis Installation and Requirements N/A Security Requirements User with backup operator and power user privileges Notes N/A METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 35

40 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES IBM Spectrum Scale (GPFS) Supported Versions Varonis Installation and Requirements N/A Security Requirements N/A Notes Security events are not collected NFS-Ganesha is not supported Linux Supported Versions Important: If the required kernel is not in the installation package, refer to your Varonis representative for assistance in manually installing it from the Varonis Unix repository (autodetection is not possible). Debian-6-SMP x86-64 Debian-7-SMP x86-64 RedHat-RHEL4-SMP x86-32 RedHat-RHEL4-HugeMem x86-32 RedHat-RHEL4-LargeSMP x86-64 RedHat-RHEL4-SMP x86-64 RedHat-RHEL5-SMP x86-32 RedHat-RHEL5-SMP xen-x86-32 RedHat-RHEL5-SMP pae-x86-32 RedHat-RHEL5-SMP x86-64 RedHat-RHEL6-SMP x86-32 RedHat-RHEL6-SMP x86-32 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 36

41 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Oracle Linux UEK: RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL6-SMP x86-64 RedHat-RHEL7-SMP x86-64 RedHat-RHEL7-SMP x86-64 RedHat-RHEL7-SMP x86-64 RedHat-RHEL7-SMP x86-64 RedHat-RHEL7-SMP x86-64 SUSE-SLES10-SMP xenpae-x86-32 SUSE-SLES10.2-SMP x86-64 SUSE-SLES10.3-SMP x86-64 SUSE-SLES10.4-SMP x86-64 SUSE-SLES11.3-SMP x86-64 SUSE-SLES11.3-SMP x86-64 SUSE-SLES11.4-SMP x86-64 SUSE-SLES11.4-SMP x86-64 SUSE-SLES12.0-SMP x86-64 SUSE-SLES12.1-SMP x86-64 Ubuntu-8-SMP x86-32 Ubuntu-8-SMP x86-64 Ubuntu SMP pae-x86-32 Ubuntu SMP x86-64 Ubuntu SMP x86-64 Ubuntu SMP x86-64 Ubuntu SMP pae-x86-32 Ubuntu SMP x86-64 Ubuntu SMP x86-64 Ubuntu SMP x86-64 Ubuntu SMP x86-64 Varonis Installation and Requirements N/A Security Requirements Crawling: NFS-based - UID that is defined with read permissions on exported volumes. UID=0 must be honored from the Probe machine. Varonis-based - Local User with SSH Access Event collection: Must be installed with the root account The Varonis agent should be installed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 37

42 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Notes CentOS is also supported (only the equivalent of supported Red Hat versions) SSH must be enabled on the default port. Local Machine Account Supported Versions Windows file servers (2000 or above) Unix Servers (with SSH enabled) EMC Celerra NetApp (only groups and their members) HP-NAS Varonis Installation and Requirements N/A Security Requirements Windows - User with backup operator and power user privileges Notes N/A NetApp Supported Versions 6.4.x 6.5.x 7.0.x and above 7.2.x 7.3.x 8.0.x 8.1RC 8.1.x - Supported for 7 mode only 8.2.x - Supported for 7 mode P3 and up - Also supported for cluster mode P1 and up - Also supported for cluster mode and up - Also supported for cluster mode 8.3.x RC, GA and up 8.3 RC and GA 8.3 P1 - Also supported for cluster mode RC P All 9.0 RC METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 38

43 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Supported for on-premises and OnTap Cloud Supported for on-premises and OnTap Cloud Supported for on-premises and OnTap Cloud Note: SMBv3 is supported for NetApp clusters. Varonis Installation and Requirements Creation of new FPolicy is required (requires root credentials) The NetApp proxy requires only a Windows file server on which the Varonis Windows agent is installed. Netapp 7-mode does not work with Windows 2016 due to certain Microsoft restrictions. The Collector or Probe must be installed on an older version of Windows Server. Security Requirements Crawling: NTFS - User with permissions to view all file system directories and their permissions (administrator or backup operator and power user) The Power User role requires the following capabilities: api-qtree-* api-options-get Unix, NFS-based - UID that is defined with read permissions on exported volumes. UID=0 must be honored from the Probe machine. Notes FPolicy API - v7.1.x is not supported Domain membership is recommended Samba Shares (CIFS on Unix) Supported Versions Varonis Installation and Requirements N/A Security Requirements Windows - User with backup operator and power user privileges FileWalk user: Must be an Active Directory user The user must be able to log in to the file server via SSH METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 39

44 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Notes CIFS user resolution is accomplished in one of the following ways: RFC2307 AD extension is implemented for all the users Associating the file server with a Samba domain Samba must work with winbind. Scality RING Supported Versions Varonis Installation and Requirements The Linux version of the CIFS connector must be a supported version. Security Requirements Windows - User with backup operator and power user privileges FileWalk user: Must be an Active Directory user The user must be able to log in to the file server via SSH Notes N/A SharePoint On-Premises Supported Versions SharePoint MOSS 2007 and WSS 3.0 SharePoint 2010 and WSS 4.0 SharePoint 2013 with or without SP1 SharePoint 2016 Varonis Installation and Requirements The SharePoint agent must be installed on a front-end server.net Framework 3.5 with SP1 is required on the SharePoint machine, even if a higher version of.net Framework is also installed. Note: The Metadata Framework itself requires.net Framework 4.0. Security Requirements Installation If the Varonis audit mode is in use, a system administrator is required on all SQL servers on which the content database reside. If the legacy modified audit mode is in use, a system administrator is required on all SQL Servers on which the content databases reside. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 40

45 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES If the legacy default audit mode is in use, no special credentials are required for the content databases. System administrator credentials are required on all SQL Servers in order to upgrade from Metadata Framework 5.8 or lower. Agent installation - Local admin on all front ends on which installation is performed (if the Varonis agent is being installed, this is configured through the Installer). All front ends require a system administrator to update registry keys during the following operations: Installation/uninstallation Adding/removing a front end Moving from legacy mode to Varonis audit mode Enabling/disabling collection of Open events The system administrator credentials are not required after these operations are complete. FileWalk - A user with backup operator and power user privileges is required on all front ends. For the Data Transport Engine - A site collection administrator is required. For SharePoint 2013: Classic Windows authentication is supported, since Windows Claims Accounts are supported (Claims-Based authentication that uses Domain\Username as the IdentifyClaim). No setup is required. A separate user for installation can be defined in the Agent Deployment dialog box. Notes Network Load Balancing (NLB) is supported. The SharePoint Agent cannot be installed on machines that have less than 500MB of free space on their %SYSTEMDRIVE%. If the installer user has insufficient privileges to create the varonis content database, monitoring is disabled and the event mode is reset to the default. Auto-detect Resource is not supported if both the public URL and its Alternate Access Mapping (AAM) have been added to DatAdvantage. SharePoint Online Varonis Installation and Requirements The Probe or Collector connected to SharePoint Online must reside on Windows Server 2008 R2 or above Microsoft.Net Framework 4.5 or above must be installed on the Probe or Collector PowerShell 3.0 or higher To collect events on SharePoint Online and OneDrive file servers, the user must: Create an Azure Active Directory application that subscribes to the Activity Feed notifications. Edit the file server and configure the Event Collection Settings in the. Have a valid Microsoft Azure subscription METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 41

46 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Security Requirements The FileWalk user must be assigned the Office 365 SharePoint Online administrator role Important: It is recommended that the FileWalk user account be different than the one used for Exchange Online. In order for the Probe or Collector service to connect to the locally installed agent, the FileWalk user account must be a member of at least one of the following groups on the Probe/Collector server: Administrators Backup Operators Power Users VaronisEventsRetrieval (local or domain group) Notes The IDU Server and Probe/Collector that monitor SharePoint Online must be able to reach the following URLs: All monitored site URLs (including OneDrive and public sites if in use) For event collection, the following hosts must be reachable: manage.office.com login.windows.net For ADWalk and FileWalk: Admin site host provisioningapi.microsoftonline.com *.<TenantDomain>.com manage.office.com login.microsoftonline.com Sun Solaris/Open Solaris Supported Versions Oracle Solaris is supported only for 64-bit versions SunOS-5.8-sparc-64 SunOS-5.9-sparc-64 SunOS-5.10-sparc-64 SunOS-5.10-x86-64 SunOS-5.11-x86-64 SunOS-5.11-sparc-64 Nexenta Nexenta Varonis Installation and Requirements For event collection, the Varonis Filter Driver must be installed on the global zone. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 42

47 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Security Requirements Crawling: NFS-based - UID that is defined with read permissions on exported volumes. UID=0 must be honored from the Probe machine. SSH-based - User with list credentials on all directories to be enumerated (for example, root, or a user that is a member of all groups) Event collection: Must be installed with the root account The Varonis agent should be installed Notes SSH must be enabled on the default port. Unix Directory Services Supported Versions Note: Only Active Directory is supported as the main domain. LP NIS Centrify DirectControl 4 Centrify Suite 2013 Varonis Installation and Requirements N/A Security Requirements N/A Notes N/A Windows Supported Versions 2000 Windows 2003 x32 Windows 2003 x64 Windows 2003 R2 x32 Windows 2003 R2 x64 Windows 2008 x32 Windows 2008 x64 Windows 2008 R2 x64 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 43

48 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES Windows Both NTFS and ReFS Windows 2012 R2 - Both NTFS and ReFS Note: Windows Server 2012 and higher. Windows Server 2012 Dynamic Access Control is not supported. Folder names are limited to 256 characters, just as in NTFS. Windows Storage Server is supported for 2008 R2 and 2012 R2. Windows 2016 Windows 7 x64 Windows 10 x64 Varonis Installation and Requirements For event collection, the Varonis Filter Agent must be installed. Security Requirements Crawling: CIFS - User with permissions to view all file system directories and their permissions (administrator or backup operator and power user) Varonis Protocol - Varonis FileWalk Agent should be installed For Windows clusters - Administrative shares accessed through the cluster name might not be accessible by members of the Backup Operators and Power Users groups. If not, the following options can be used: The FileWalk user can be added to the Local Administrators group on each node of the cluster. Another share can be added to the cluster group, pointing to the same volume, with Read permissions for the FileWalk user. IMPORTANT: Implementation of Microsoft's Network access: Restrict clients allowed to make remote calls to SAM security policy setting means the Metadata Framework cannot automatically detect file servers or collect local accounts. If a simple user (i.e., a user with backup operator and power user privileges) is preferred instead of a local administrator, the Varonis service account (or the FileWalk user) must be defined in the Network access: Restrict clients allowed to make remote calls to SAM security policy. See Microsoft's documentation for instructions, or contact Varonis Support for assistance. Notes In Windows Storage Server, the Metadata Framework does not support events generated inside VHD or VHDX files. Such events can be monitored from the server where the files are attached. DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on Windows 2012 R2. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 44

49 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES If the Windows file server is also used as a domain controller, the FileWalk user must be a member of the Server Operators and Backup Operators groups. The automatic detection of Windows Server 2016 by simple users (i.e., users with backup operator and power user privileges) is possible only if the Active Directory (AD) role is installed on Windows Server Windows Directories Supported Versions Windows NT 4.0 domain Windows 2000 Active Directory Windows 2003 Active Directory Windows 2008 Active Directory Windows 2012 Active Directory Windows 2016 Active Directory Varonis Installation and Requirements N/A Security Requirements Any domain account may be used for user information (ADwalk). Notes N/A Windows Directory Services (Active Directory) Supported Versions Active Directory on Windows 2003 Active Directory on Windows 2003 R2 Active Directory on Windows 2008 Active Directory on Windows 2008 R2 Active Directory on Windows 2012 Active Directory on Windows 2012 R2 Active Directory on Windows 2016 Varonis Installation Requirements N/A Security Requirements To enable directory service event collection, it is necessary to manually configure a user that is authorized to manage auditing and security logs on each DC. To enable GPO auditing, a user with domain admin credentials (or enterprise admin, for forests) is required. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 45

50 Chapter 3 REQUIREMENTS FOR MONITORED RESOURCES The user that connects to the event log must be added to the GPO User Rights Assignment > Manage auditing and security log policy. Any regular domain user can be defined for this purpose. To monitor GPO change events, the primary language of the Probe server's operating system should be English (GPMC report output must be in English). Event collection is supported on the default domain's partition (default naming context) only. Notes Event collection is supported only on the default domain's partition (default naming context). The mapping between the local Active Directory and the Azure Active Directory is done according to the default mapping by Microsoft: Users are mapped via objectguid Groups are mapped via objectname Varonis Directory Service Proxy Agent Installation Requirements Deployment At least 1 Probe, Collector or directory service proxy agent must be installed per site for all the monitored domains. All the DCs of a site must be monitored by their respective Probe, Collector or directory service proxy agent. Installation and usage - Directory service proxy agents require a user who is a member of the Administrators or the Domain Admins group on the local machine. Important: Installation of the DS Proxy Agent on a DC requires a member of the Domain Admins group, since DCs do not have local accounts. Network traffic - The most effective way to reduce network traffic is to install the proxy on the DCs themselves, so that the only network traffic to the DS Probe or Collector would be the event data after filtering and aggregation of the event log. (If the proxies cannot be installed on the DCs themselves, the proxies must be installed in the LAN-proximity of the DCs so that the event logs' data transfer would be restricted to within the LANs.) METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 46

51 4 INSTALLATION AND SECURITY NOTES SharePoint Load Balancing To enable load balancing for SharePoint, port must be opened on the appliance defined for load balancing in addition to all other load-balanced ports. Microsoft NLB is supported, with the Office Document Conversions Load Balancer Service. Issues and Limitations The Installer uses the following names for machines, components, services, etc.; they must not be changed, duplicated or deleted: vrnsdomaindb VrnsDefaultAD Varonis and varonis VrnsUI vrnsuidataprivilege DataPrivilegeDomain DataPrivilegeShadow Distributed Transaction Coordinator (DTC) must be enabled (and running) on the database machine. The Metadata Framework requires SQL Common Language Runtime (CLR) to be enabled on SQL databases. SQL CLR hosts the.net language engine on SQL servers and is used for adding custom-defined access control lists (ACLs), permissions, types, functions and data aggregates. The Installer enables CLR as part of the installation process. Creation of DB links is required. For IP address resolving, it is recommended to leave the NetBIOS port open. IP address resolving limitations (for Windows Servers only): Auditing must be enabled in order to successfully log on and log off from the server. Not all logon types are supported and retrieve IP addresses (e.g., Remote Desktop Protocol (RDP) and the Keyboard-Interactive authentication method). The IP address information is retrieved from the Windows Security Event log, which in some cases may not report all IP addresses. This can be verified in the Windows Security Event log. The IP addresses of events that flow into the logon resolver are resolved within a short period of time (a few seconds). Normally, IP addresses are resolved immediately because the logon extractor already has the IP address or logon ID mapping from the Windows Security Event log. However, if there is a large number of Windows Security events and latency on the server, the queue size limit on unresolved events may be exceeded. The METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 47

52 Chapter 4 INSTALLATION AND SECURITY NOTES size of this queue is managed by the following registry entry (10K entries are configured by default): HKLM\Software\Varonis\VrnsCifsQueue\UnresolvedEventsQueueMaxSize METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 48

53 Chapter 4 INSTALLATION AND SECURITY NOTES Required Credentials The following table summaries the credentials required for the various components, services, etc. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 49

54 Chapter 4 INSTALLATION AND SECURITY NOTES Note: For more information, see Permissions and Service Accounts - FAQ. Item Required Credentials ADWalk - Directory service crawling Active Directory and LP - Any domain account NIS DataPrivilege Bulk Upload Utility Windows The user must be a local administrator on the machine on which the utility is installed. Collector host shares The following credentials are required on Collector host shares: Read Write Share NTFS Commit service and DataPrivilege searcher Works in Windows environment only (Windows, NetApp, Celerra and Active Directory). Commit to Active Directory requires a user account that is permitted to modify Active Directory objects. Commit to a file system requires full control credentials on the changed objects. When defining a SharePoint file server, the user account must have Backup Operator and Power User privileges. It must also be a member of the Administrators local machine group (for Windows or NAS devices), or a member of the Site Collection Administrators group (for SharePoint). When defining a domain, the user account must be a member of the Administrators security group. DatAnswers The DatAdvantage application account must have Read/Write permissions on the Data Sync Unit share. The DatAnswers application account must be a local administrator on the machine on which DatAnswers is installed. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 50

55 Chapter 4 INSTALLATION AND SECURITY NOTES Item Required Credentials Data Classification Framework (DCF) NTFS - User with permissions to view all file system directories and their permissions (administrator or backup operator and power user). The user must also be a domain user in Active Directory. Data Transport Engine The following are the minimum credentials required for using the Data Transport Engine: To execute a rule: administrator, together with backup operator and power user on the target machine, with at least List NTFS permissions on the destination folder To use a copy agent: local administrator on the target machine To delete from the source machine: backup operator and power user on all source machines To use a copy agent to delete from the source machine: local administrator on all source machines Database During installation, the sa password is required. Enhanced security configuration allows the creation of a dedicated SQL account for a Varonis administrator and a Varonis UI user. In this case, the sa credentials are only required for additional configuration and installation. Windows authentication may also be used. If it is, ensure the Windows authentication account is sysadmin in the SQL server. DatAdvantage user interface Any domain user can access the UI, as long as the user is listed in the authorized user's configuration. User roles are managed by DatAdvantage itself. Reports - Certain filters, such as the Folders List filter, require specific permissions. The Folders List filter requires Read permissions for the user running the SQL service to the CSV file specified by the filter. DataPrivilege Web credentials Any domain user can log into the DataPrivilege web application. User roles are managed by DataPrivilege itself. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 51

56 Chapter 4 INSTALLATION AND SECURITY NOTES Item Required Credentials DFS configuration Any authenticated user. Event collection Windows filter driver - Must be installed with an administrative account Unix filter driver - Must be installed with the root account Exchange agent - Requires a local power user on the agent machine FileWalk - File system crawling NTFS - User with permissions to view all file system directories and their permissions (administrator or backup operator and power user). The user must also be a domain user in Active Directory. The SQL service account on the Probe must also have local admin and/or backup operator rights. Note: Alternatively, for domain controllers it can have domain Backup Operator and domain Server Operator rights. Unix NFS-based - UID that is defined with read permissions on exported volumes SSH-based - User with list credentials on all directories to be enumerated (for example, root, or a user that is a member of all groups) Domain types NT Backup Operator and Power User Windows Backup Operator and Power User Windows Backup Operator and Power User Windows Backup Operator, Power User or Server Operator IMPORTANT: Implementation of Microsoft's Network access: Restrict clients allowed to make remote calls to SAM security policy setting means the Metadata Framework cannot automatically detect file servers or collect local accounts. If a simple user (i.e., a user with backup operator and power user privileges) is preferred instead of a local administrator, the Varonis service METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 52

57 Chapter 4 INSTALLATION AND SECURITY NOTES Item Required Credentials account (or the FileWalk user) must be defined in the Network access: Restrict clients allowed to make remote calls to SAM security policy. See Microsoft's documentation for instructions, or contact Varonis Support for assistance. FileWalk - Directory services crawling At least the following are required on the domain to enable crawling: Read All Properties Read Permissions IDU Services If Windows authentication is used, the user running the services must be a local administrator. Installation Prior to installation, create a domain user with local administrator privileges on all installation machines. To install directory service auditing, prepare domain administrator credentials for each domain in which it will be installed. The local administrator is required on the SQL Server during installation in order to configure the DTC. This user can be deleted following installation. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 53

58 Chapter 4 INSTALLATION AND SECURITY NOTES Item Required Credentials If the UAC is enabled on the computer on which the is running, the user must run the as an administrator for the impersonation in Probe and Collector installation to work properly. Probe Services If Windows authentication is used, the user running the services must be a local administrator. File servers A domain user with local administrative privileges on these machines is required during installation. The installation account must have local admin permissions. The SQL service account on the Probe must also have local admin and/or backup operator rights. To enable the Pull Proxy functionality, the SQL server service account must have Replace a process level token rights, granted through a local security policy. To enable use of the Folders list filter with a remote CSV file, the SQL server service account must have permissions for the remote folder. Directory services A user that is authorized to manage auditing and the security log on each domain controller. By default, only domain administrators and the Exchange Server possess these privileges. Reporting Services computer Accounts that run remote file share subscriptions require rights to log on locally on the Reporting Services computer. For more information, see Microsoft's article, File Share Delivery in Reporting Services. Windows cluster installation for the Varonis agent To detect whether the server is a cluster the user must have administrative rights. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 54

59 Chapter 4 INSTALLATION AND SECURITY NOTES Required Security Policies While Varonis understands that changes to an organization's security policies are always sensitive and must not be undertaken lightly, the policy options described below are required by both Microsoft and NetApp. If the options are not set as required by those companies, a number of issues can arise: NetApp file servers may disconnect from TrendMicro's ServerProtect for NetApp Scan Servers, even though the file servers appear to be successfully registered. After installing a NetApp file server and Scan Engine host in a Windows 2008 domain, the McAfee Vscan (virus scanner) server may not be successfully registered on the file server. CIFS shares may not be visible on Windows Servers 2008 R2. The following table lists the required security options, along with the Windows and NetApp versions on which they are required. The footnotes contain links providing more information about the relevant issues. Note: For more information about these security options and Server Message Block (SMB) signing, see Microsoft TechNet's Security Options and SMB Overview. Option Name Setting Windows Prior to 2008 R2 Windows 2008 R2 and Higher NetApp Prior to NetApp and Higher Allow anonymous SID/Name translation Enabled Required 1 Required 1 Required 1 Required 1 Do not allow anonymous enumeration of SAM accounts Disabled Required 1 Required 1 Required 1 Required 1 Do not allow anonymous enumeration of SAM accounts and shares Disabled Required 1 Required 1 Required 1 Required 1 Let Everyone permissions apply to anonymous users Enabled Not required Required 1, 2 Required Required Named pipes that can be accessed anonymously Browser, ntapfprq Not required Required 1, 2 N/A N/A METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 55

60 Chapter 4 INSTALLATION AND SECURITY NOTES Option Name Setting Windows Prior to 2008 R2 Windows 2008 R2 and Higher NetApp Prior to NetApp and Higher Microsoft network client: Digitally sign communications (always) Disabled N/A N/A Not required Required 3 Microsoft network client: Digitally sign communications (if server agrees) Enabled N/A N/A Not required Required 3 Microsoft network server: Digitally sign communications (always) Disabled N/A N/A Not required Required 3 Microsoft network server: Digitally sign communications (if client agrees) Disabled N/A N/A Not required Required 3 Footnotes: 1. Disconnection from TrendMicro's ServerProtect for NetApp Scan Servers 2. Failure to register McAfee's Vscan server on the file server 3. CIFS shares may not be visible or opened on Windows Server 2008 R2 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 56

61 5 SUPPORTED EVENTS The following sections describe the events supported by the Metadata Framework. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 57

62 Chapter 5 SUPPORTED EVENTS CIFS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations CIFS on Unix (Samba) File Create File Delete File Open File Rename File Modify File Set Permissions Folder Create Folder Delete Folder Rename Folder Set Permissions Share added Share removed Share permission added Share permission removed Dell Fluid FS 6.0 File Create File Delete File Open File Rename File Modify File Set Permissions File Owner Changed Folder Create Folder Delete Folder Rename Folder Set Permissions Folder Owner Changed EMC Celerra operating system 5.2 and above - if the datamover is running RT 5, only CIFS events are supported EMC VMax enas Isilon Unity N/A EMC audit mechanism / CEPA For more details about the "numbered" operations below, see the corresponding numbers in the "Limitations and Known Issues" list following this table. File Create File Delete 9 File Open File Rename File Modify 10 File Set Permissions 10 Directory Create Directory Delete 9 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 58

63 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations Directory Rename Directory Set Permissions 10 Note: File and Directory Rename operations are supported only by CEPA. Share added Share removed Share permission added Share permission removed Access Denied Events (supported by Celerra/VNX only): File Create File Delete File Open File Modify File Rename File Set Permissions Folder Create Folder Open Folder Rename Folder Delete Folder Set Permissions Hitachi NAS and higher File Create File Delete File Open File Rename File Modify File Set Permissions Directory Create Directory Delete Directory Rename Directory Set Permissions Access Denied Events: File Accesses Folder Accessed Folder Opened METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 59

64 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations HP-NAS: IBRIX version tested -l (X9000_5_5) Note: Contact Varonis Support for information regarding higher supported versions. x64 Varonis agent + Likewise Audit Assist File Create File Delete File Open File Rename File Modify File Set Permissions Folder Create Folder Delete Folder Rename Folder Set Permissions IBM Spectrum Scale (GPFS) Note: Security events are not collected NFS-Ganesha is not supported File Create File Delete File Open File Rename File Modify Folder Create Folder Delete Folder Rename IBM Storwize v7000 Unified File Create File Delete File Open File Rename File Modify File Set Permissions Folder Create Folder Delete Folder Rename Folder Set Permissions Network Appliance OnTap version: 6.4.x 6.5.x 7.0.x and above 7.2.x 7.3.x 8.0.x 8.1RC N/A NetApp FPolicy API For more details about the "numbered" operations below, see the corresponding numbers in the "Limitations and Known Issues" list following this table. File Create File Delete 4 File Open File Rename 8 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 60

65 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations 8.1.x - Supported for 7 mode only 8.2.x - Supported for 7 mode P3 and up - Also supported for cluster mode P1 and up - Also supported for cluster mode and up - Also supported for cluster mode 8.3.x RC, GA and up 8.3 RC and GA 8.3 P1 - Also supported for cluster mode RC P All 9.0 RC Supported for onpremises and OnTap Cloud Supported for onpremises and OnTap Cloud Supported for onpremises and OnTap Cloud File Modify 3 File Set Permissions 1,6 Directory Create 7 Directory Delete 4 Directory Rename 4,8 Directory Set Permissions 1,6 Important: Since NetApp does not support local accounts, only group information is collected instead of user information. Windows 2000 Windows 2003 x32 Windows 2003 x64 Windows 2003 R2 x32 Windows 2003 R2 x64 X86 x64 Local file system filter File Create File Delete File Open File Rename File Modify File Set Permissions File Owner Changed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 61

66 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations Windows 2008 x32 Windows 2008 x64 Windows 2008 R2 x64 Windows Both NTFS and ReFS Windows 2012 R2 - Both NTFS and ReFS Note: Windows Server 2012 and higher. Windows Server 2012 Dynamic Access Control is not supported. Folder names are limited to 256 characters, just as in NTFS. Windows Storage Server is supported for 2008 R2 and 2012 R2. File Permissions Added File Permissions Removed File Protection Added File Protection Removed Folder Create Folder Delete Folder Rename Folder Set Permissions Folder Owner Changed Folder Permissions Added Folder Permissions Removed Folder Protection Added Folder Protection Removed Access Denied Events: File Delete File Open Folder Delete Folder Open File Set Security Folder Set Security Windows 2016 Windows 7 x64 Windows 10 x64 Limitations and Known Issues 1. For NetApp 7.2.x, 7.3.x, 8.0 and 8.1RC, SETSEC_FILE is always received for files and directories. The Probe fixes it if it does not find "FILE" addressing in its cache and the name does not include a file extension. For CIFS, it is important to enable setting security: fpolicy options <PolicyName> cifs_setattr on 2. NFS_FullPath with OnTap 7.3 and above might add performance overhead. 3. The ability to distinguish Modify from Open events is configured through the UI (default=off) due to network issues that might affect client latency. 4. Not supported in NetApp Not supported in NetApp 7.2.x 6. Only supported in NetApp 7.3.x and above 7. Not supported in NetApp Only supported in NetApp and above METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 62

67 Chapter 5 SUPPORTED EVENTS 9. Some DELETE_DIR is received for files. The Probe fixes it if it does find "FILE" addressing in its cache or the name includes a file extension. 10. Dummy operations are sometimes executed. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 63

68 Chapter 5 SUPPORTED EVENTS NFS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported File Operations Dell Fluid FS File Create File Delete File Open File Rename File Modify File Set Permissions Folder Create Folder Delete Folder Rename Folder Set Permissions EMC Celerra operating system 5.2 and above - if the datamover is running RT 6 or higher (for RT 5, only CIFS events are supported) Isilon N/A CEPA File Create File Delete File Open File Rename File Modify File Set Permissions Directory Create Directory Delete Directory Rename Directory Set Permissions Access Denied Events: File Delete File Open File Set Permissions Folder Delete Folder Set Permissions Note: Access Denied events are only supported by Celerra/VNX. HP-NAS: IBRIX version tested -l (X9000_5_5) Note: Contact Varonis Support for information regarding higher x64 Varonis agent File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 64

69 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported File Operations supported versions. Folder Rename Directory Set Security IBM AIX 6.1 TL3 SP1 5.3 TL11 SP2 5.3 TL8 SP1 5.3 TL8 SP2 x64 Agent File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security IBM Storwize v7000 Unified File Create File Delete File Open File Modify File Set Security Folder Create Folder Delete Directory Set Security Note: File Open, File Set Security and Directory Set Security are not supported on NFS-G (C3 or C4). Network Appliance OnTap version: 7.2.x 7.3.x NFS_FullPath RC N/A NetApp FPolicy API For more details about the "numbered" operations below, see the corresponding numbers in the "Limitations and Known Issues" list following this table. File Create File Delete 4 File Open 5 File Rename 5 File Modify 5 File Set Permissions 5 Directory Delete 4 Directory Rename 4,5 Directory Set Permissions 1,6 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 65

70 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported File Operations RedHat Linux / CentOS: 4.8 (kernel 2.6.9) 5.0 (kernel ) X86 x64 Agent File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security Sun Solaris Oracle Solaris is supported only for 64- bit versions SunOS-5.8-sparc-64 SunOS-5.9-sparc-64 SunOS-5.10-sparc-64 SunOS-5.10-x86-64 SunOS-5.11-x86-64 SunOS-5.11-sparc-64 Nexenta Nexenta Sparc Local file system filter File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security SuSE Linux Server 10.0 X86 Agent File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security Limitations and Known Issues 1. For NetApp 7.2.x, 7.3.x, 8.0 and 8.1RC, SETSEC_FILE is always received for files and directories. The Probe fixes it if it does not find "FILE" addressing in its cache and the name does not include a file extension. For CIFS, it is important to enable setting security: fpolicy options <PolicyName> cifs_setattr on 2. NFS_FullPath with OnTap 7.3 and above might add performance overhead. 3. The ability to distinguish Modify from Open events is configured through the UI (default=off) due to network issues that might affect client latency. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 66

71 Chapter 5 SUPPORTED EVENTS 4. Not supported in NetApp Not supported in NetApp 7.2.x 6. Only supported in NetApp 7.3.x and above 7. Not supported in NetApp Only supported in NetApp and above 9. Some DELETE_DIR is received for files. The Probe fixes it if it does find "FILE" addressing in its cache or the name includes a file extension. 10. Dummy operations are sometimes executed. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 67

72 Chapter 5 SUPPORTED EVENTS SharePoint On-Premises Events Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations SharePoint MOSS 2007 WSS 3.0 X86 x64 SharePoint auditing File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security Role Set List Item Create List Item Delete List Item Open List Item Rename List Item Modify List Item Set Security List Set Security Website Rename Website Delete Website Set Security Library Set Security Attachment Create Attachment Delete Attachment Open SharePoint 2010 SharePoint 2013 SharePoint 2016 X86 x64 SharePoint auditing File Create File Delete File Open File Rename File Modify File Set Security Folder Create Folder Delete Folder Rename Directory Set Security Role Set Site Create List Create List Delete List Item Create List Item Delete List Item Open METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 68

73 Chapter 5 SUPPORTED EVENTS Monitored File Servers / NAS Devices CPU Architecture Event Collection Method Supported Operations List Item Rename List Item Modify List Item Set Security List Set Security Website Rename Website Delete Website Set Security Attachment Create Attachment Delete Attachment Open Library Set Security Library Create Library Delete SharePoint Online and OneDrive Events The following events are supported: Event Type Supported File Create Yes File Modify Yes File Open Yes File Delete Yes File Rename Yes Folder Delete Yes Folder Rename Yes List Item Delete Yes Exchange On-Premises Events The following events are supported (all events collected for mailboxes are also collected for public folders, unless otherwise specified): METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 69

74 Chapter 5 SUPPORTED EVENTS Note: Not all Exchange events are monitored by default. Settings can be reviewed and configured in the, under Configuration > Exchange > Event Types. The SELF account can be configured to enable event monitoring. Event Type Supported Open Folder Yes Create Folder Yes Delete Folder Yes. In Exchange 2013 and 2016, only supported for mailboxes, not for public folders. Rename Folder Yes Add Folder Permissions Yes In Exchange 2010 only, also supported by PowerShell and EMC Remove Folder Permissions Yes In Exchange 2010 only, also supported by PowerShell and EMC Change Folder Permissions Yes In Exchange 2010 only, also supported by PowerShell and EMC Move Folder Yes Empty Folder Yes Copy Folder Yes Mark All as Read Only in OWA (Premium) 2010 SP1 and SP2 METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 70

75 Chapter 5 SUPPORTED EVENTS Event Type Supported Message opened Only in Online mode and OWA (Premium) 2010 SP1 and SP2 (not supported in Outlook cached mode). Send Message Yes Send Message (On behalf of X) Yes Send Message (As X) Yes Message received (on Mailbox only) Yes Edit Message Yes Delete Message Yes. In Exchange 2013 and 2016, only supported for mailboxes, not for public folders. Copy Message Yes Move Message Yes Create Message Yes Message Marked as Unread Yes Message Marked as Read Yes Logon Yes Mailbox Permissions Added (includes Send As) In Exchange 2010 and 2013 only, supported only by PowerShell and EMC Mailbox Permissions Removed (includes Send As) In Exchange 2010 and 2013 only, supported only by PowerShell and EMC Mailbox Forward Delivery Option Added In Exchange 2010 only, supported only by PowerShell and EMC Mailbox Forward Delivery Option Removed In Exchange 2010 only, supported only by PowerShell and EMC METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 71

76 Chapter 5 SUPPORTED EVENTS Event Type Supported Public Folder Administrative Permissions Removed In Exchange 2010 only, supported only by PowerShell and EMC In addition, the following information is also collected for folders (mailbox and public folders): Folder path - Always collected. Indicates whether an operation was performed on a folder or on an item inside it. Folder item count Folder date modified Folder item created - The date is collected, but is not visible in the UI. Folder size Event date Effective permissions Message created Message received Audited event data is collected by the Varonis Exchange agents. Folder structure, folder information (e.g. size, item count) and permissions are collected by FileWalk. Supported PowerShell cmdlets Add-MailboxPermission - Also supported in Exchange 2013 Remov boxPermission - Also supported in Exchange 2013 Add-PublicFolderAdministrativePermission Remove-PublicFolderAdministrativePermission Add-PublicFolderClientPermission Remove-PublicFolderClientPermission Add-MailboxFolderPermission Set-MailboxFolderPermission Remov boxFolderPermission Add-ADPermission Remove-ADPermission Known Issues When a message is modified, new events contain the properties of the original message, not the edited one. The ACE SID in a Modify Permissions event sometimes shows the SID of the subject user instead of the user name. Directory Services Events The following events are supported: METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 72

77 Chapter 5 SUPPORTED EVENTS General The following events are supported: Creation and deletion of all objects Changes in group membership Changes in directory service object properties for any property Note: Due to standard Microsoft behavior, Modify events may be recorded for all the fields in a modified object, not only those that were changed; also, when an AD object is created, many Create and Modify events are recorded on the object's fields. Account enabled Account disabled Account authentication Access request DS object created DS object deleted DS object renamed DS object moved DS object modified DS object set security DS object membership added DS object membership removed User password reset User locked out User unlocked GPO events GPO link created GPO link deleted GPO link modified GPO settings modified Permission events DS object permission added DS object permission removed Owner changed The following events are not supported: Logon/logoff events - Not supported. Extended Properties Extended properties are, in general, supported. However, the properties below are displayed as string data types and not dates. These properties can only be searched and sorted as strings: Account Expiration - The date on which the account expires Pwd Last Set - The date and time at which this account's password was last changed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 73

78 Chapter 5 SUPPORTED EVENTS Last Logon - The last time the user logged on (this attribute is not replicated) Last Logon timestamp - The last time the user logged on (in Windows Server 2003 and up, this attribute is replicated; however, it is only updated when the user logs on if the old value is more than a configurable number of days in the past) Last logoff - The time at which the user last logged off DCF The DCF does not support directory service probing. DatAdvantage Object Types The following DatAdvantage object types are audited: Category Object Type DatAdvantage objects Data Transport Engine rule DatAdvantage objects Flag DatAdvantage objects None DatAdvantage objects Predefined directory scope DatAdvantage objects Report DatAdvantage objects DatAlert rule DatAdvantage objects DatAlert Template DatAdvantage objects Tag DatAdvantage objects Commit Process Directory service objects Computer Directory service objects Contact Directory service objects Container Directory service objects Domain Directory service objects DS other METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 74

79 Chapter 5 SUPPORTED EVENTS Category Object Type Directory service objects Exchange dynamic distribution list Directory service objects Foreign security principal Directory service objects Group Directory service objects Group policy Directory service objects Organizational unit Directory service objects Printer Directory service objects Shared folder Directory service objects User Exchange objects Mail folder Exchange objects Mailbox Exchange objects Public folder File system objects File File system objects Folder File system objects Resource File system objects Site DatAdvantage Operations The following DatAdvantage operations are audited: Operation Type Subcategory Mapping To Operation Category Filter Account created Account Added METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 75

80 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter Account deleted Account Removed Account disabled Account Changed Account edited Account Changed Account enabled Account Changed Account moved Account Changed Account password reset Account Changed Account unlocked Account Changed Classification file analysis viewed Classification Accessed Classification summary viewed Classification Accessed DatAlert Alert Status Changed DatAlert Changed DatAlert All Rules Viewed DatAlert Accessed DatAlert Note Added DatAlert Added DatAlert Review (Web) opened DatAlert Accessed DatAlert Rule Created DatAlert Added DatAlert Rule Deleted DatAlert Removed DatAlert Rule Disabled DatAlert Changed DatAlert Rule Edited DatAlert Changed DatAlert Rule Enabled DatAlert Changed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 76

81 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter DatAlert Rule Viewed DatAlert Accessed DatAlert Template Created DatAlert Added DatAlert Template Deleted DatAlert Removed DatAlert Template Edited DatAlert Changed Data Transport Engine rules created Data Transport Engine Added Data Transport Engine rules deleted Data Transport Engine Removed Data Transport Engine rules disabled Data Transport Engine Changed Data Transport Engine rules edited Data Transport Engine Changed Data Transport Engine rules enabled Data Transport Engine Changed Data Transport Engine rules paused Data Transport Engine Changed Data Transport Engine rules resumed Data Transport Engine Changed Data Transport Engine rules started Data Transport Engine Changed Data Transport Engine rules stopped Data Transport Engine Changed Data Transport Engine rules viewed Data Transport Engine Accessed Change discarded Editing and Change Removed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 77

82 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter Change mgmt. and commit screen viewed Editing and Change Accessed Commit history viewed (deprecated) Editing and Change Accessed Commit performed Editing and Change Added Commit scheduled Editing and Change Added Commit with Auto Rollback performed (deprecated) Editing and Change Changed Discard admin changes performed (deprecated) Editing and Change Changed Group created in DatAdvantage Editing and Change Added Group deleted in DatAdvantage Editing and Change Removed Group members edited Editing and Change Changed Pending changes data exported Editing and Change Accessed Process data exported Editing and Change Accessed Permissions edited Editing and Change Changed Rollback performed Editing and Change Removed Scheduled process cancelled Editing and Change Removed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 78

83 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter Scheduled process modified Editing and Change Changed Terminate performed Editing and Change Changed Terminate and rollback performed Editing and Change Changed Latest events synchronized Event Monitoring Changed Object monitored Event Monitoring Changed Object unmonitored Event Monitoring Changed Flag added Follow Up Added Flag attached Follow Up Changed Flag detached Follow Up Changed Flag edited Follow Up Changed Flag removed Follow Up Removed Note attached Follow Up Changed Note detached Follow Up Changed Note edited Follow Up Changed Tag added Follow Up Added Tag attached Follow Up Changed Tag detached Follow Up Changed Tag edited Follow Up Changed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 79

84 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter Entity excluded from IDU Analytics IDU Analysis Changed Entity included for IDU Analytics IDU Analysis Changed Advanced log viewed Navigation Accessed Alerts viewed Navigation Accessed DatAdvantage closed Navigation Accessed DatAdvantage opened Navigation Accessed Expand performed Navigation Accessed Log viewed Navigation Accessed Permissions viewed Navigation Accessed Statistics viewed Navigation Accessed Ownership assigned Ownership Changed Ownership revoked Ownership Changed Ownership viewed Ownership Accessed Predefined Directory Scope Created Predefined Directory Scopes Added Predefined Directory Scope Deleted Predefined Directory Scopes Removed Predefined Directory Scope Edited Predefined Directory Scopes Changed Export performed Print/Export Accessed METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 80

85 Chapter 5 SUPPORTED EVENTS Operation Type Subcategory Mapping To Operation Category Filter Print performed Print/Export Accessed Object opened Real-time Directory Operations Accessed Object properties window opened Real-time Directory Operations Accessed Report scheduling added Reports Added Report scheduling edited Reports Changed Report scheduling removed Reports Removed Report template added Reports Added Report template edited Reports Changed Report template removed Reports Removed Report viewed Reports Accessed System synchronized Synchronization Changed Platforms Supporting IP Address/Hostname The following platforms provide support for device IP address/hostname for audited events (as visible in the Log area, and in the 1.a and 1.b group of reports). NetApp EMC CEPA (Celerra, VNX and Isilon) Hitachi Directory Services Exchange 2010 Device ID for ActiveSync IP for Outlook clients on Ex07/Ex10, in case IP Agents are installed on the Client Access Servers Unix - Support for Linux-based platforms (not for AIX, Solaris, Novell). This support is only when login is done via CIFS (Samba) and SSH login via SSH. Login via NFS is not supported. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 81

86 Chapter 5 SUPPORTED EVENTS Windows SharePoint: SharePoint Online SharePoint on Premise METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 82

87 6 GENERAL ARCHITECTURE See Metadata Framework Ports and Protocols for a full list of the ports required for the Metadata Framework. METATA FRAMEWORK 6.3 INSTALLATION PREREQUISITES AND REQUIREMENTS 83