Requirements
As per the Minimum Requirements, Sureview requires a domain "service account" for the Sureview services to run as which can either be a standard User Account or a Group Managed Service Account (gMSA) and must be configured as follows:
- Must have write access to the Database
- Must have write access to the Filestore
- Must be used by all Sureview services and components on all servers (security requirement)
- Must NOT be a member of the "Administrators" group on any servers (for security, the service account must not have unrestricted access to the servers to minimize attack exposure)
- Must NOT be a member of the "Remote Desktop Users" group on any servers (for security, the service account must not be able to log into servers to minimize attack exposure)
- Must be set with the password to not expire (otherwise Sureview will stop working when it expires)
- Must be set with the password not to be changeable (otherwise Sureview will stop working if it is changed)
Location Options
The domain that contains the service user and that the Sureview servers are all members of can be hosted...
- on your own domain controllers that your IT team are responsible for
- on the Sureview servers themselves which SureView are responsible for
Guidance: Allowing Listening On HTTP Ports
Because the service user is not permitted to be an administrator it must be given access to listen on HTTP ports used by Sureview components on each server. This can be achieved with the following commands:
Listing HTTP ACLs
Run the following command to list what Access Control Lists (ACLs) currently exist allowing users to listen on URLs:
netsh http show urlacl
Adding HTTP ACLs
Run one of the following commands to add a URL ACL allowing a user to listen on a URL, depending on whether you are using HTTP or HTTPS and whether the component uses a "*" weak wildcard or "+" strong wildcard (refer to the documentation of the Sureview component for this):
netsh http add urlacl url="http://*:YourPortNumber/" user="YourDomain\YourServiceUser" listen=yes
netsh http add urlacl url="http://+:YourPortNumber/" user="YourDomain\YourServiceUser" listen=yes
netsh http add urlacl url="https://*:YourPortNumber/" user="YourDomain\YourServiceUser" listen=yes
netsh http add urlacl url="https://+:YourPortNumber/" user="YourDomain\YourServiceUser" listen=yes
Deleting URL ACLs
Run the following command using the URL you got by listing them using the command above to delete it:
netsh http delete urlacl url="TheURLOfTheACL"
Guidance: Changing folder permissions
The service user requires Modify access to the Sureview Program Files folder. To manage folder access control lists (ACLs) use the following PowerShell commands:
Get the ACL rules for a folder
Run the following PowerShell command to get the current permissions of a folder as a nicely formatted list:
Get-Acl -Path "C:\Program Files (x86)\Immix Cloud" | Format-List
Add access rule to a folder
Run the following PowerShell commands changing the values in bold:
$Username = "immixservice";
$Directory = "C:\Program Files (x86)\Immix Cloud";
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, "Modify", "ContainerInherit, ObjectInherit", "None", "Allow");
$ACL = Get-Acl $Directory;
$ACL.SetAccessRule($AR);
Set-Acl $Directory $ACL;
Guidance: Domain Basics for Sureview
A domain provides a common user authentication store across multiple servers, using Users and Groups to control what access and permissions the users have across the network.
A typical setup will involve the following steps in order, using the commands explained in the Managing Domains and Managing Domain Members guidance sections below:
- On the server that will become the Domain Controller:
- Set it with a static IP
- Rename it with an appropriate name such as "SureviewDC1"
- Install Active Directory for it to become a Domain Controller for a new domain such as "Sureview.local"
- Create an "Sureview Admins" domain group to put users in that have access to administer the Sureview servers
- Create users for...
- Each individual IT staff member that will be able to administer all servers in the domain and add them to the built-in "Domain Admins" domain group
- Each individual non-IT staff member that will be able to administer the Sureview servers in the domain and add them to the "Sureview Admins" domain group you created
- The "SureviewService" user which will be used for Sureview services to run as (this must not have any administrative access to any servers as it is a security risk)
- On the Sureview servers that will be joined to the domain (the "members"):
- Rename them with an appropriate name i.e. "SureviewApp1", "SureviewDevices1" etc
- Add them to the domain
- Add the "Sureview Admins" domain group to the local "Administrators" group so that all Sureview Admins are able to administer those servers
Example of a typical corporate network setup, with IT admins who can administer all servers including an "IT services" server providing Database and Network Share services, Sureview Admins who can administer Sureview servers, and an Sureview Service user used to run Sureview services under that has access to the database and filestore running on the server that IT manages:
Guidance: Managing Domains
To manage domains on Windows Server use the following PowerShell commands (this method works on a server regardless of having a GUI available - to use the Windows GUI refer to Microsoft documentation).
Creating a new Active Directory forest
Run the following command as the computer administrator account to turn the current server into the domain controller of a new forest:
IMPORTANT:
- Each server in a domain must have a unique Security Identifier (SID) - if you have installed the OS on each server individually then this will be the case. If you have installed the OS by cloning one install on to multiple servers then they will all have the same SID and you must run sysprep (generalize) to generate a new SID on each server
- Before you do this, make sure you have renamed the server with an appropriate name as the current name will be used throughout the domain as the controller name.
- Before you do this, ensure the server has a static IP address set. If you use DHCP and the Domain Controller gets a new IP then all member servers will lose the ability to authenticate.
- The computer Administrator account that you're running the commands as will become the domain administrator - when you log back in after the reboot it will now be "YourDomain\Administrator"
- You will be prompted to provide a Safe Mode administrator password used to gain access in the event of a catastrophic failure needing you to enter the Recovery Mode to restore access - this should be a complex password and recorded somewhere safe for future use
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools;
$domainName = "Sureview.local";
Install-ADDSForest -DomainName $domainName -InstallDNS;
Creating a new domain group
Run the following command as a Domain Administrator to create a new domain group (for instance, creating an "Sureview Admins" group to contain users that will be allowed to administer the Sureview servers):
$groupname = "Sureview Admins";
New-ADGroup -Name $groupname -GroupCategory Security -GroupScope Global;
Creating a new domain user
Run the following command as a Domain Administrator to create a new domain user (for instance, creating a user that will administer Sureview servers, or the Sureview Service user):
$username = "user.name";
$password = ConvertTo-SecureString -String "YourPassword" -AsPlainText -Force;
New-ADUser -Name $username -AccountPassword $password -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true;
Adding a domain user to a domain group
Run the following command as a Domain Administrator to add a domain user to a domain group (for instance, adding a domain user to the "Sureview Admins" domain group to give them access to administer the Sureview servers):
$domainGroup = "SureviewAdmins";
$memberToAdd = "user.name";
Add-ADGroupMember -Identity $domainGroup -Members $memberToAdd;
Guidance: Managing Domain Members
To manage computers that are added to a domain ("domain members") use the following PowerShell commands (this method works on a server regardless of having a GUI available - to use the Windows GUI refer to Microsoft documentation).
Adding a computer to a domain
Run the following command as an administrator on the current computer to add it to an existing domain:
IMPORTANT:
- Before you do this, make sure you have renamed the computer with an appropriate name because the current name is how it will appear inside the domain.
- When you log back in after the reboot you will need to log in as a user who is a member of the "Domain Admins" group in order to administer the server
<# NOTE: before you can add a computer to a domain you must change its DNS to come from the domain's DNS server(s) (usually the domain controllers themselves) so it is able to find the domain controllers #>
<# Find the Interface Index of your LAN network adapter using one of these commands #>
Get-NetIpAddress;
Get-DnsClientServerAddress;
<# Change the DNS of the interface to the DNS server(s) for the domain (after this you should be able to do "Resolve-DnsName YourDomainControllerName.YourDomain" and get the correct IP returned #>
$interfaceIndex = IndexOfYourLANAdapterFromGetCommandsAbove;
$dnsIP = "Your.Domain.DNS.IP";
Set-DnsClientServerAddress -InterfaceIndex $interfaceIndex -ServerAddresses $dnsIP;
<# Add this computer to the domain and reboot (will be prompted for the credentials of a Domain Administrator). #>
$domainName = "Sureview.local"
Add-Computer -DomainName $domainName -Restart;
Adding a domain user/group to a local group
Run the following command as an administrator on the current computer to add a domain group to a local group (for example, adding the "Sureview Admins" domain group to the computer's "Administrators" group to allow Sureview admins to administer the server)
$localGroup = "Administrators"
$memberToAdd = "DomainName\Sureview Admins"
Add-LocalGroupMember -Group $localGroup -Member $memberToAdd
Comments
0 comments
Please sign in to leave a comment.