Preparing the Network Environment

ALERT  LEGACY ARTICLE: The content in this article is no longer updated and is available for reference purposes only. Features and workflows described may be deprecated, significantly changed, or no longer supported.

Environment

  • Datto EDR

Description

Now that you've prepared the HUNT server, the next step is to prepare the network environment, by allowlisting the HUNT Survey files, and configuring Active Directory.

Allowlisting the HUNT Survey

During a scan, Datto EDR HUNT deploys dissolvable agents (Surveys) to network endpoints. Existing security software may flag these files as malicious, which can cause the survey to fail. 

There are several binaries that should be allowlisted for execution by other security tools.

Click here to download a CSV of the relevant binary hashes.

The following paths are used by Datto EDR during a scan. If you need to exclude by path or filename, please note the following:

Windows

  • c:\windows\temp\survey.exe

  • c:\windows\temp\s1.exe

  • c:\windows\temp\infocyte*.vbs

Note: if * notation is not supported, add the following 10 entries:

  • c:\windows\temp\infocyte.vbs

  • c:\windows\temp\infocyte1.vbs

  • c:\windows\temp\infocyte2.vbs

  • c:\windows\temp\infocyte3.vbs

  • c:\windows\temp\infocyte4.vbs

  • c:\windows\temp\infocyte5.vbs

  • c:\windows\temp\infocyte6.vbs

  • c:\windows\temp\infocyte7.vbs

  • c:\windows\temp\infocyte8.vbs

  • c:\windows\temp\infocyte9.vbs

Linux

  • /tmp/survey.bin
  • /opt/infocyte/surveys/s1.linux.sh

Configuring Microsoft Active Directory

Datto EDR requires adequate Microsoft Active Directory domain credentials to properly perform its authenticated scans. The following steps outline how to properly setup security groups and Group Policy Objects for Datto EDR. These processes only apply to domains with Windows Server 2012, 2012 R2, 2016 domain controllers. The following procedures should be performed on the server that administers all domain Group Policies.

Step 1: Creating Windows Security Group

Create a windows security group called "Datto EDR Scan Group"

  • Login to the domain controller for target domain
  • Open "€œActive Directory Users and Computers"€
  • Click Menu > Action > New > Group
  • Name the group € "Datto EDR Scan Group" and ensure the €œGlobal€ and €œSecutriy” options are selected
  • Create a new user for Datto EDR scanning operations and place them within the €œDatto EDR Scan Group € security group.

Step 2: Create Group Policy Object

Create a Windows Group Policy Object (GPO) called "Datto EDR Scan GPO"

  • Open “Group Policy Management Console.
  • Right-click Group Policy Objects and select New.
  • Name the policy  "Datto EDR Scan GPO"

Step 3: Set the policy to add the"Datto EDR Scan Group" group as Administrators

Now we need to add the newly created security group to Datto EDR Scan GPO € and allow them proper permissions

  • Right-click Datto EDR Scan GPO€ and select Edit.
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  • In the left pane in Restricted Groups, right-click and select Add Group.
  • In the dialog box, select Browse and type €œDatto EDR Scan Group  and click Check Names.
  • Click OK twice.
  • Click Add under the This group is a member of: € label.
  • Add the Administrators € group.
  • Click OK twice.
    _Note: Windows XP and 2003 Server systems require GPO Client Side Extensions before they can install and enforce Windows 2012+ domains. Ensure these are installed prior to GPO application.

Step 4: Set Datto EDR access to network hosts

Datto EDR will require access to the destination hosts for scanning operations. To facilitate this, we add the “Datto EDR Scan Group” to the Access this computer from the network GPO

  • Right-click Datto EDR Scan GPO and select Edit.
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments.
  • Right-click  Access this computer from the network and click Properties.
    • Ensure the check-box Define these policy settings is checked.
    • Click Add User or Group
      • Click Browse and enter "Datto EDR Scan Group"  into the text box.
      • Click Check Names.
      • Click OK.
    • Click OK.

Step 5: Firewall configuration (Windows Vista+) via GPO

Datto EDR requires the use of the Server Message Block (SMB) and Windows Management Instrumentation (WMI) protocols to scan a target network. Firewall rules will need to be set in the œDatto EDR Scan GPO € to allow proper communication.

  • Right-click Datto EDR Scan GPO€ and select Edit.
  • Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  • Right-click in the right pane and choose. New Rule.
  • Choose Predefined and select€œFile and Printer Sharing€.
    • Make sure that all rules are check-marked.
    • Click Next.
    • Click Finish.
  • Right-click in the right pane and choose New Rule…
  • Choose Predefined and select €œWindows Management Instrumentation (WMI)€..
    • Make sure that all rules are check-marked.
    • Click Next.
    • Click Finish.
  • Recommended step: an abundant amount of information about a target system can be gleaned using WMI. We recommend that an administrator modify firewall rules for WMI to restrict only specific IP addresses or specific security groups / users to use this protocol.

Step 6: Firewall configuration (Windows XP and 2003) via GPO

Systems running Windows XP and 2003 are unable to implement firewall policies that apply to Windows Vista and higher. The following GPO will enable proper communication for Datto EDR scanning operations

  • Right-click Datto EDR Scan GPO€ and select Edit.
  • Expand Computer Configuration >Policies>Administrative Templates>Network>Network Connections>Windows Firewall>Domain Profile.
  • Right-click on œWindows Firewall: Allow inbound file and printer sharing exceptions.€ and click Edit .
    • Click Enable.
    • Click OK.
  • Right-click€œWindows Firewall: Allow inbound remote administration exception € and click Edit .
    • Click Enable.
    • Click OK.
  • Recommended step: most environments have a mix of different Windows operating systems. We recommend that this step be added to your GPO for backward compatibility and to ensure that ALL systems are accessible to Datto EDR.

Step 7: GPO Linking

Once the GPO is created, the GPO must be enabled and linked to a specific domain

  • In “Group Policy Management Console, € right-click the target domain or organizational unit (OU) and select Existing GPO.
  • Select €œDatto EDR Scan GPO

Step 8: Set HUNT Server Log on as service € local policy

Finally, if the HUNT Server is joined to the domain, we will need to configure a local policy to allow this Security Group to install and "œLog on as a service."

The following procedures will need to be performed on the HUNT Server.

  • Open œLocal Security Policy€ manager
  • Expand Security Settings >Local Policies>Users Right Assignment
  • Right-click €œLog on as a service € and click Properties.
    • Click Add User or Group.
      • Click Browse and enter€"œDatto EDR Scan Group" € into the text box.
      • Click Check Names.
      • Click OK.
    • Click OK.

Next Steps:

Now that you've prepared your network for Datto EDR HUNT, the next step is Installing Datto EDR HUNT.