Sophos Enterprise Console – Multiple Consoles

How to setup multiple Sophos Enterprise Consoles to a single Sophos database.

In some scenarios, there will be a requirement of running multiple consoles to a single database, such as with:

  1. Head Office and a DR site – This is for fail-over, so when Head Office goes down, the DR site takes over and the machines are still managed and protected.
  2. Running two segmented networks with different IP ranges.

 

The first step you will need to do is to install the Sophos database on a central SQL database server.

  1. Run the SEC setup file on the SQL server.
  2. Deselect the following 2 components:
    1. Management console
    2. Management Server
  3. Click next.
  4. Select the SQL instance where you want the database to be installed.
  5. Complete the installation.

 

Once the database is successfully installed, you will need to install the Sophos Enterprise console as a separate server.

To install the console, please do the following:

  1. Run the SEC setup file on the Sever for the console.
  2. Deselect the database component.
  3. Click next.
  4. Specify where the location of the Sophos database is installed.
  5. Specify the account that is going to be used to connect to the database.
  6. Complete the installation.
  7. The console will open once installation is complete.

 

Repeat the above installation process for the secondary console.

Now you should have two operational consoles linked to one Sophos database.

However, there are some limitations to this design of implementation.

Limitations:

  1. If the consoles are on two different IP ranges, you will need to log onto the relevant console to push a policy or remediate an issue on the machine on the same IP range as the console.
  2. You will need to log on to the relevant console to push policies to the machines that are connected to it. You will not be able to push policies or remediate from the other console.
  3. Troubleshooting the console update managers, you will have two locations of update logs. A separate update log for each console.

Rapid 7 InsightIDR and NTLM Authentication

The connection error to a SQL server event source is actually an authentication error from the InsightIDR collector to the SQL Event source.

The reason you are receiving this error is that InsightIDR only supports NTLMv1 authentication.

You will receive this error if you are using windows authentication on the SQL 2008 or lower.

There are a couple solutions that can be used to correct the error.

SOLUTION 1:

  • Upgrade the SQL version to 2012 and set the server to only use NTLMv1 authentication.

SOLUTION 2:

  • Set the server to only use NTLMv1 authentication via GPO or locally.

To set the NTLM authentication levels, please see the link below:

https://technet.microsoft.com/en-us/library/jj852207(v=ws.11).aspx

SOLUTION 3:

  • Use SQL authentication on the SQL instance on the server.

Sophos Enterprise Console Backup Process

The following backup process is for backing up all relevant Sophos registry keys and databases for the Sophos Enterprise console to ensure full recovery or migration of all the workstations, policies and groups.

Registry Keys

32bit OS:

— Certificate key —

Start | Run | regedit

HK Local Machine | Software | Sophos | certification manager | CertAuthStore

Please export the CertAuthStore, and save it to a location.

— Database-user key —

Start | Run |reg-edit

HK Local Machine | Software | Sophos | EE | Management Tools | database-user

Please export the ‘database-user’, save it to a location.

 

64bit OS:

— Certificate key —

Start | Run |reg-edit

HK Local Machine | software | Wow6432node | Sophos | certification manager | CertAuthStore

Please export theCertAuthStore, and save it to a location.

— Database-user key —

HK Local Machine | Software | Sophos | EE | Management Tools | databaseuser

Please export the ‘database-user’, save it to a location.

 

Sophos Databases

Please stop the Sophos SQL service within the computer services. Please do the following

Start | type ‘run’ and open the run box | type ‘services.msc’ | stop SQL service(SOPHOS)

Once the service has been stopped, please navigate to the following locations:

32/64 bit:

Windows 2008 – C:\program files\microsoft SQL\ Data\Sophos

Windows 2012 – C:\program files\microsoft SQL\ Data\Sophos

Please backup the following databases:

Sophosxx.mdf
Sophosxx.ldf
Sophosenc.mdf
Sophosenc.ldf
Sophospatch.mdf
Sophospathc.ldf
Sophossecurity.mdf
Sophossecurity.ldf

Once all databases have been backed up, please restart the Sophos SQL service again.

SafeGuard – Windows 10 and Bitlocker Decryption

PROBLEM:

BitLocker can’t be turned off/disabled when it is being managed by SafeGaurd. As you turn it off, BitLocker goes into a loop and turns back on straight away. SafeGuard also can’t be uninstalled as long as the drive is encrypted by BitLocker. (See error message below)

Safeguard bitlocker

Although there is an option available to turn off BitLocker. Once you select it, it turns back on straight away, therefore your drive does not decrypt. (See screenshots below)

image003

image002

SOLUTION:

1. Under the ‘Policy and Groups’ tab, create a new full disk encryption policy set to ‘no encryption’.

Policy

2. Create a new policy group called Standalone and assign the decryption policy to that policy group.

Group

3. Create a a Standalone Configuration Package – click on Tools > Configuration Package > Standalone Configuration Package and select the decryption group (Standalone Package) in the Policy Group dropdown menu.

configuration package

4. Click Create Configuration Package button.

Once the package has been created install it on the machine that needs to be decrypted. Once installed, you will now be able to turn off BitLocker.