Sophos Enterprise Console – Multiple Consoles

How to setup multiple Sophos Enterprise Consoles to a single Sophos database.

In some scenarios, there will be a requirement of running multiple consoles to a single database, such as with:

  1. Head Office and a DR site – This is for fail-over, so when Head Office goes down, the DR site takes over and the machines are still managed and protected.
  2. Running two segmented networks with different IP ranges.

 

The first step you will need to do is to install the Sophos database on a central SQL database server.

  1. Run the SEC setup file on the SQL server.
  2. Deselect the following 2 components:
    1. Management console
    2. Management Server
  3. Click next.
  4. Select the SQL instance where you want the database to be installed.
  5. Complete the installation.

 

Once the database is successfully installed, you will need to install the Sophos Enterprise console as a separate server.

To install the console, please do the following:

  1. Run the SEC setup file on the Sever for the console.
  2. Deselect the database component.
  3. Click next.
  4. Specify where the location of the Sophos database is installed.
  5. Specify the account that is going to be used to connect to the database.
  6. Complete the installation.
  7. The console will open once installation is complete.

 

Repeat the above installation process for the secondary console.

Now you should have two operational consoles linked to one Sophos database.

However, there are some limitations to this design of implementation.

Limitations:

  1. If the consoles are on two different IP ranges, you will need to log onto the relevant console to push a policy or remediate an issue on the machine on the same IP range as the console.
  2. You will need to log on to the relevant console to push policies to the machines that are connected to it. You will not be able to push policies or remediate from the other console.
  3. Troubleshooting the console update managers, you will have two locations of update logs. A separate update log for each console.

IPsec Tunnel creation

How to create an IPsec tunnel between two Sophos SG UTM branches.

Log into the main office branch, where remote, and make the following configurations: Site-to-site VPN > IPsec > New Remote Gateway

Configure the Remote Gateway first

  • Name: Description of the remote connection
  • Gateway type: Respond only (for the remote site would initiate the tunnel connection)
  • Authentication type: Pre-shared key (both sites need to match)
  • Remote network: Internal HQ (specify the remote networks that would be allowed into the main branch, they need to match on both sides)

IP sec Tunnel 1

Create New IPsec Connection second

  • Name: Description of the remote site
  • Remote gateway: IPsec Example (remote gateway just created)
  • Local interface: choose the interface to which the remote branch is going to connect to – publicly available address that remote site can reach.
  • Policy: AES-128 (the policy would need to be exactly the same on the UTM)

ip-sec-tunnel-2

Log into the remote branch that needs to connect to the main office via IPsec: Site-to-site VPN > IPsec > New Remote Gateway

Configure the Remote Gateway first

  • Name: Description of the remote connection
  • Gateway type: Initiate Connection (the remote site would initiate the tunnel connection)
  • Gateway:
  • Authentication type: Pre-shared key (both sites need to match)
  • Remote network: Internal HQ (specify the remote networks that would be allowed into the main branch, they need to match on both sides)

Rapid 7 InsightIDR and NTLM Authentication

The connection error to a SQL server event source is actually an authentication error from the InsightIDR collector to the SQL Event source.

The reason you are receiving this error is that InsightIDR only supports NTLMv1 authentication.

You will receive this error if you are using windows authentication on the SQL 2008 or lower.

There are a couple solutions that can be used to correct the error.

SOLUTION 1:

  • Upgrade the SQL version to 2012 and set the server to only use NTLMv1 authentication.

SOLUTION 2:

  • Set the server to only use NTLMv1 authentication via GPO or locally.

To set the NTLM authentication levels, please see the link below:

https://technet.microsoft.com/en-us/library/jj852207(v=ws.11).aspx

SOLUTION 3:

  • Use SQL authentication on the SQL instance on the server.

Sophos Enterprise Console Backup Process

The following backup process is for backing up all relevant Sophos registry keys and databases for the Sophos Enterprise console to ensure full recovery or migration of all the workstations, policies and groups.

Registry Keys

32bit OS:

— Certificate key —

Start | Run | regedit

HK Local Machine | Software | Sophos | certification manager | CertAuthStore

Please export the CertAuthStore, and save it to a location.

— Database-user key —

Start | Run |reg-edit

HK Local Machine | Software | Sophos | EE | Management Tools | database-user

Please export the ‘database-user’, save it to a location.

 

64bit OS:

— Certificate key —

Start | Run |reg-edit

HK Local Machine | software | Wow6432node | Sophos | certification manager | CertAuthStore

Please export theCertAuthStore, and save it to a location.

— Database-user key —

HK Local Machine | Software | Sophos | EE | Management Tools | databaseuser

Please export the ‘database-user’, save it to a location.

 

Sophos Databases

Please stop the Sophos SQL service within the computer services. Please do the following

Start | type ‘run’ and open the run box | type ‘services.msc’ | stop SQL service(SOPHOS)

Once the service has been stopped, please navigate to the following locations:

32/64 bit:

Windows 2008 – C:\program files\microsoft SQL\ Data\Sophos

Windows 2012 – C:\program files\microsoft SQL\ Data\Sophos

Please backup the following databases:

Sophosxx.mdf
Sophosxx.ldf
Sophosenc.mdf
Sophosenc.ldf
Sophospatch.mdf
Sophospathc.ldf
Sophossecurity.mdf
Sophossecurity.ldf

Once all databases have been backed up, please restart the Sophos SQL service again.

Sophos SafeGuard – Decryption Policy

The below is a method that can be used to decrypt SafeGuard encrypted Windows 7, Windows 8 and Windows 10 computers using the SafeGuard Management Center.

By default users are unable to decrypt encrypted drives. Even if the setting is enabled that allows users to decrypt drives, with the Full Disk Encryption policy, users will still not be able to decrypt the drive unless a decryption policy is applied to the computer as well.

In this method we will apply a decryption policy to a specific created group that will allow a drive to be decrypted whilst only applying the policy to the specific computer for which decryption is required.

1. Allow the user to decrypt volume within the Full Disk Encryption policy.

Enable decryption

2. Create a decryption policy.
  • Right click on Policy Items, select New, select Device Protection Policy.
  • Name the policy Decrypt. Under Device Protection Target select Local Storage Devices.
  • Next to Media Encryption Mode select No Encryption.
  • Save
3. Create a decryption group.
  • Click on Users and Computers.
  • Click on the Domain Name, right click and select New and then click on Create New Group.
  • Name the group Decryption. Click OK.
4. Apply the decryption policy to the decryption group.
  • Click on the Domain Name. Click on the Policies tab.
  • Under the Available Policies section on the right hand side of the screen, locate the Decrypt Policy and drag and drop it into the center of the screen. Tick the No Override Box and ensure the Priority is set to 1.
  • Under the Available Groups section on the right hand side of the screen, locate the Decryption Group and drag and drop it into the center of the screen. Click the Save button.

Decryption policy and group

The policy and group have now been created and applied. No computers will be affected by this policy unless they are moved into the decryption group.

5. Move the computer requiring decryption into the decryption group
  • Click on Users and Computers.
  • Locate the Decryption Group and click on it. Click on the Members Tab.
  • On the right hand side of the screen under the Available Objects section, locate the computer requiring decryption and drag and drop it into the center of the screen.
  • Click the Save button.

6. The decryption policy is now applied to the desired computer. The next step is to begin the decryption on the target machine.

 

Windows 7
  • Open Windows Explorer.
  • Click on Computer. Right click on (C:), select Encryption and then select Decryption.

 

Windows 8 and 10
  • Open the Control Panel. Select View by: small icons.
  • Click on Bitlocker Drive Encryption.
  • Select Turn off Bitlocker.

The drive will then begin decrypting. It is recommended to use this method if you need to remove SafeGuard Encryption from an encrypted computer.

You should always decrypt the computer before uninstalling the SafeGuard agents.

Here is the link to the full Sophos article should you require further information on this: https://community.sophos.conm/kb/zh-cn/108411

Sophos UTM 9

How to generate a Certificate Signing Request (CSR) on Sophos UTM 9

Please exclude all Brackets from the following commands.

  1. Log into the back end of the UTM.
  2. Log in as root su.
  3. Then switch to the home directory (cd/home/login)
  4. Now create a openvpn.cnf file with the following commands (cat/et/ssl/openssl.cnf | grep -v SUBJECT_ALT_NAME > ./openssl.config)
  5. Then we have to generate the CSR.
  6. openssl req -config  ./openssl.config -new -newkey rsa:2048 -out www.yourdomain.com.csr
  7. You should now get prompted for a passphrase and a Confirmation Passphrase (Enter the passphrase of your choice and press enter)
  8. You should now be prompted for details for the CSR ( Enter the details and hit enter again.
  9. The completed CSR will be saved to /home/login and can be downloaded with WinSCP.

Sophos XG and Sophos Firewall Manager

Here is a quick breakdown on how to get the firewall and the central management to communicate.

On the XG Firewall do the following:

  1. Navigate to the System (the little gear icon).
  2. Select Administration and then Central Management.
  3. Select to Enable Central Management
  4. For the IP Address / Domain enter the central management device IP.
  5. For Communication Details > set the Heartbeat Protocol > Https and Heartbeat Port to 443.
  6. Choose which synchronisation suits you best, to either pull device configuration or use the Firewall Manager to push the configuration.

Then Sophos firewall manager configuration is as follows:

  1. From Home navigate to Device Configuration and select Add Device
  2. Enter all Device Information and click Next
  3. Define Communication Mode and click Next
  4. Choose whether to update device firmware
  5. Configure Backups
  6. Select a template to Auto Configure Device and click Next
  7. The XG Firewall will now be communicating with the Sophos firewall manager.

SafeGuard – Windows 10 and Bitlocker Decryption

PROBLEM:

BitLocker can’t be turned off/disabled when it is being managed by SafeGaurd. As you turn it off, BitLocker goes into a loop and turns back on straight away. SafeGuard also can’t be uninstalled as long as the drive is encrypted by BitLocker. (See error message below)

Safeguard bitlocker

Although there is an option available to turn off BitLocker. Once you select it, it turns back on straight away, therefore your drive does not decrypt. (See screenshots below)

image003

image002

SOLUTION:

1. Under the ‘Policy and Groups’ tab, create a new full disk encryption policy set to ‘no encryption’.

Policy

2. Create a new policy group called Standalone and assign the decryption policy to that policy group.

Group

3. Create a a Standalone Configuration Package – click on Tools > Configuration Package > Standalone Configuration Package and select the decryption group (Standalone Package) in the Policy Group dropdown menu.

configuration package

4. Click Create Configuration Package button.

Once the package has been created install it on the machine that needs to be decrypted. Once installed, you will now be able to turn off BitLocker.