Event Centralization in Endpoint Privilege Management

This document provides guidance on how to centralize Endpoint Privilege Management events to a central server using Windows Event Forwarding (WEF). BeyondTrust provides an Endpoint Privilege Management Reporting Pack, which includes enterprise class trend analysis dashboards, allowing organizations to understand and be proactive about the Endpoint Privilege Management events raised in their environment.

With the Endpoint Privilege Management Reporting Pack, Endpoint Privilege Management events from all managed endpoints can be centrally collected to a SQL Server database. The Endpoint Privilege Management Reporting Pack builds on a number of Microsoft technologies, including:

  • Windows Event Forwarding
  • SQL Server
  • SQL Server Reporting Services (SSRS)

This approach provides a scalable and secure architecture that can manage high volumes of events and the largest enterprise environments.

Event Forwarding is provided by Windows Remote Management (WinRM), Microsoft’s implementation of a WS-Management Protocol. The protocol is SOAP-based and firewall-friendly, providing a common way for systems to access and exchange management information across an IT infrastructure.

One of the most powerful features of WinRM is the ability to forward events, enabling large scale health and state status monitoring of Windows environments (also known as Windows Eventing 6.0). Not only is this feature built into the latest versions of Windows (originally shipped with Windows Vista and Windows Server 2008), but it is also available for down-level operating systems.

For more information on BeyondTrust’s Endpoint Privilege Management Reporting Pack, see www.beyondtrust.com/support.

Event Centralization Definitions

Event Forwarders and Event Sources

The events you are interested in reside on these hosts.

Event Collector

Events are collected on these hosts based on events subscriptions defined on the collector host.

Event Subscriptions

Determine the events collected and defined on the event collector. Group policy does not support definition of event subscriptions. Event subscriptions define:

  • Event source hosts in scope
  • Events in scope on those hosts
  • Event data transmission characteristics: push from source/pull from collector, frequency, HTTP/HTTPS

There are 2 ways for event source computers to become aware of event collection subscriptions.

  • Collector-initiated subscription (pull): Subscription information is pushed to the event source hosts by the event collector using WinRM. This requires the event forwarder/source to listen for incoming WinRM connections from the collector.

  • Source-initiated subscription (push): The event source computer connects to the event collector via WinRM and requests subscription information. The event collector may be defined by Group Policy. Source-initiated subscription is preferred for its reliability and scalability in enterprise scenarios. A source-initiated subscription has an advantage of not requiring the collector to know all the computer names of the remote machines connecting to the service a priority, whereas a collector-initiated subscription requires the aforementioned information, which is harder to maintain.

Suited for large environments where Group Policy is available. Policy is dictated to the source computer by Group Policy. The source computer is told: Contact Collector X and do what they say. Once the source computer contacts the collector, the collector looks up the subscriptions for the source computer, and then sets up the subscriptions. Then this begins to act like a Push subscription.

  • Positive: Very simple to configure using a single policy. Supports clustering of collectors. Only requires uni-directional TCP communication since the collector never initiates communication to the source computer.
  • Negative: Requires an AD infrastructure. Can be difficult to troubleshoot if the entire scope of source computers is successfully registered with their respective collectors since the collector does not know which source computers should be forwarding events to them.

Event subscriptions may not be defined through Group Policy.

Windows Remote Management (WinRM)

WinRM is the communication channel leveraged by the Windows Event Forwarders (event sources) and Windows Event Collectors.

There are 2 types of communication between the hosts over WinRM:

  • Event Subscriptions: Which hosts are included, which events, pull or push, how much, how often
  • Event Transmission: The events themselves

WinRM may act as a client or server component. It is necessary to configure WinRM as a server to listen for connections initiated from another host.

The host initiating connections depends on the event collection/forwarding configuration. In the typical configuration, connections are initiated from the forwarder/source to the collector as HTTP or HTTPS on standard WinRM ports.

WinRM may be configured using Active Directory Group Policy.

Active Directory Group Policy (GPO)

Active Directory (AD) is a directory service created by Microsoft for Windows domain networks included in most Windows Server operating systems.

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment.

GPO provides a central configuration mechanism for WinRM and one aspect of Windows Event Forwarding; the event collector from which subscriptions are retrieved in source-initiated subscriptions.