From bcf5a6e650d975d17c839171f958c9fd9ca26e2d Mon Sep 17 00:00:00 2001 From: tay caliguiri Date: Wed, 31 Dec 2025 15:25:56 -0500 Subject: [PATCH] Overhaul of Windows File System Permissions --- .../filesystems/windowsfile/access.md | 123 ++++++------------ .../filesystems/windowsfile/activity.md | 87 +++++++++---- .../filesystems/windowsfile/overview.md | 33 ++--- .../appletmodepermissions.md | 51 +++----- .../local-mode-scans/localmodepermissions.md | 52 +++----- .../proxymodeservicepermissions.md | 82 +++++------- .../with-applet/proxymodeappletpermissions.md | 54 +++----- .../target/config/HostMapping1.webp | Bin 0 -> 7298 bytes .../target/config/HostMapping2.webp | Bin 0 -> 8592 bytes 9 files changed, 199 insertions(+), 283 deletions(-) create mode 100644 static/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp create mode 100644 static/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md index 5f32c288c6..a12d007cf7 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md @@ -6,8 +6,8 @@ sidebar_position: 10 # Windows File Server Access & Sensitive Data Auditing Configuration -Permissions required for Access Analyzer to execute Access Auditing (SPAA) and/or Sensitive Data -Discovery Auditing scans on a Windows file server are dependent upon the Scan Mode Option selected. +Permissions required for Access Analyzer to execute Access Auditing (FSAA) and/or Sensitive Data +Discovery Auditing (SEEK) scans on a Windows file server are dependent upon the Scan Mode Option selected. See the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/filesystems.md) topic for additional information. @@ -15,70 +15,60 @@ for additional information. However, additional considerations are needed when targeting a Windows File System Clusters or DFS Namespaces. -## Windows File System Clusters +## Windows File System (Standard) -The permissions necessary to collect file system data from a Windows File System Cluster must be set -for all nodes that comprise the cluster. +Configure the credential(s) with the following rights on the Windows host(s): + +- For **Local** or **Proxy as a Service Mode** Scans: + - Group membership in both of the following local groups: + - Power Users + - Backup Operators +- For **Applet** or **Proxy with Applet Mode** Scans: + - Group membership in the following group: + - Local Administrators + - Granted the “Log on as a batch” privilege + - Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet. + - The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. + - Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. +- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege +- Granted the “Backup files and directories” local policy privilege :::note -It is necessary to target the Windows File Server Cluster (name of the cluster) of -interest when running a File System scan against a Windows File System Cluster. +In order to collect data on administrative shares and local policies (logon policies) for a Windows target, the credential must have group membership in the local Administrators group. ::: +## Windows File System Clusters -Configure credentials on all cluster nodes according to the Windows Operating Systems required -permissions for the desired scan mode with these additional considerations: - -- For - [Applet Mode](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#applet-mode) - and - [Proxy Mode with Applet](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-with-applet): - - - Applet will be deployed to each node - - Credential used in the Connection Profile must have rights to deploy the applet to each node +The permissions necessary to collect file system data from a Windows File System Cluster must be set +for all nodes that comprise the cluster. -- For - [Proxy Mode as a Service](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/scanoptions.md#proxy-mode-as-a-service): +:::note +It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) of interest when running a File System scan against a Windows File System Cluster. +::: - - Proxy Service must be installed on each node - - For Sensitive Data Discovery Auditing scans, the Sensitive Data Discovery Add-on must be - installed on each node +Configure credentials on all cluster nodes according to the Windows File System (Standard) permissions, with the following additional requirements: -Additionally, the credential used within the Connection Profile must have rights to remotely access -the registry on each individual cluster node. +* Remote Registry Service must be enabled on all nodes that comprise the cluster +* Group membership in the local Administrators group +* Granted the “Log on as a batch” privilege -:::tip -Remember, Remote Registry Service must be enabled on all nodes that comprise the cluster. -Configure the credential(s) with the following rights on all nodes: -::: +### Host List Considerations +It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually. -- Group membership in the local Administrators group -- Granted the “Log on as a batch” privilege +See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/hostmanagement/actions/overview) topic for additional information on host inventory. -**Host List Consideration** +- For FSAA and SDD scans, configure a custom host list to target the cluster's **Role Server**. -It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when -running a File System scan against a Windows File System Cluster. Within the Master Host Table, -there should be a host entry for the cluster as well as for each node. Additionally, each of these -host entries must have the name of the cluster in the `WinCluster` column in the host inventory -data. This may need to be updated manually. +The host targeted by the File System scans is only the host entry for the cluster. For example: -See the View/Edit section of the -[Host Management Activities](/docs/accessanalyzer/12.0/admin/hostmanagement/actions/overview.md) topic -for additional information on host inventory. +The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. **This File Server Role Server name will be our target host.** -- For FSAA and SDD scans, configure a custom host list to target the cluster's Role Server. -- For FSAC scans, configure a custom host list to target the Windows File Server Cluster. +### Least Privilege Permission Model for Windows Clusters -The host targeted by the File System scans is only the host entry for the cluster. For example: +If a least privilege model is required by the organization, then the credential must have READ access on the following registry key: -The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named -`ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the -StealthAUDIT Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and -`ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the -`WinCluster` column: `ExampleCluster1`. Only the `ExampleCluster1` host would be in the host list -targeted by the File System scans. +* `HKEY_LOCAL_MACHINE\Cluster\Nodes` **Sensitive Data Discovery Scans** @@ -89,39 +79,6 @@ comprise the cluster: - Power Users - Backup Operators -**Activity Auditing Scans** - -The Netwrix Activity Monitor must deploy an Activity Agent on all nodes that comprise the Windows -File System Cluster. The Activity Agent generates activity log files stored on each node. Access -Analyzer targets the Windows File Server Cluster (name of the cluster) of interest in order to read -the activity. See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for -additional information. - -The credential used Access Analyzer to read the activity log files must have: - -- Membership in the local Administrators group - -The FileSystemAccess Data Collector needs to be specially configured to run the -[1-FSAC System Scans Job](/docs/accessanalyzer/12.0/solutions/filesystem/collection/1-fsac_system_scans.md) -against a Windows File System Cluster. On the -[FSAA: Activity Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/activitysettings.md), -configure the Host Mapping option. This provides a method for mapping between the target host and -the hosts where activity logs reside. However, this feature requires **advanced SQL scripting -knowledge** to build the query. - -**Membership in the local Administrators group** - -### Least Privilege Permission Model for Windows Cluster - -If a least privilege model is required by the organization, then the credential must have READ -access on the following registry keys: - -- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` -- `HKEY_LOCAL_MACHINE\Cluster\Nodes` - -Additionally, the credential must have READ access to the path where the activity log files are -located. - ## DFS Namespaces The FileSystem > 0.Collection > 0-FSDFS System Scans Job is configured by default to target the @@ -136,8 +93,4 @@ the FileSystem > 0.Collection Job Group unless additional file servers are also If the DFS hosting server is part of a Windows Cluster, then the Windows File System Clusters requirements must be included with the credential. -**DFS and Activity Auditing Consideration** -For activity monitoring, the Netwrix Activity Monitor must have a deployed Activity Agent on all DFS -servers identified by the 0-FSDFS System Scans Job and populated into the dynamic host list. See the -[Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for additional information. diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md index d6db6c4e72..64ffdd9481 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md @@ -6,46 +6,81 @@ sidebar_position: 20 # Windows File Server Activity Auditing Configuration -In order for the Netwrix Activity Monitor to monitor Windows file server activity, an Activity Agent -must be deployed to the server. It cannot be deployed to a proxy server. However, additional -considerations are needed when targeting a Windows File System Clusters or DFS Namespaces. +In order for Netwrix Access Analyzer to collect and store Windows file server activity, an activity monitor agent for Netwrix Activity Monitor must be deployed to the server and monitoring. See the [Single Activity Agent Deployment](https://docs.netwrix.com/docs/activitymonitor/9_0/admin/agents/overview) topic for additional information. + +## Windows File System (Standard) + +Configure the credential(s) with the following rights on the Windows host(s): + +- For **Local** or **Proxy as a Service Mode** Scans: + - Group membership in both of the following local groups: + - Power Users + - Backup Operators +- For **Applet** or **Proxy with Applet Mode** Scans: + - Group membership in the following group: + - Local Administrators + - Granted the “Log on as a batch” privilege + - Remote Registry service must be enabled on the host where the applet is deployed (Applet or Proxy w/ Applet scans) to determine the system platform and where to deploy the applet. + - The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. +- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege +- Granted the “Backup files and directories” local policy privilege +- The service account in the credential profile requires access to the admin share (e.g. `C$`) where the `sbtfilemon.ini` file exists +- READ access on the following registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` ## Windows File System Clusters -In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all -nodes that comprise the Windows File System Cluster. The credential used to deploy the Activity -Agent must have the following permissions on the server: +In order to monitor a Windows File System Cluster, an Activity Agent needs to be deployed on all nodes that comprise the Windows File System Cluster. -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only +:::note +It is necessary to target the Windows Cluster File Server Role Server (name clients connect to) when running a File System scan against a Windows File System Cluster. +::: + +Configure credentials according to the Windows File System (Standard) permissions on all cluster nodes that comprise the cluster, with the following additional requirements: -It is also necessary to enable the Remote Registry Service on the Activity Agent server. +- Remote Registry Service must be enabled on all nodes that comprise the cluster +- Group membership in the local Administrators group +- Granted the “Log on as a batch” privilege -For integration between the Activity Monitor and Access Analyzer, the credential used by Access -Analyzer to read the activity log files must have also have this permission. +### Host List Considerations -After the agent has been deployed, it is necessary to modify the HOST parameter in the -`SBTFilemon.ini` file to be the name of the cluster. For integration with Netwrix Access Analyzer -(formerly Enterprise Auditor), this must be an exact match to the name of the cluster in the Master -Host Table. +It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster. Within the Master Host Table, there should be a host entry for the cluster as well as for each node. Additionally, each of these host entries must have the name of the cluster in the `WinCluster` column in the host inventory data. This may need to be updated manually. -## DFS Namespaces +See the View/Edit section of the [Host Management Activities](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/hostmanagement/actions/overview) topic for additional information on host inventory. -In order to monitor activity on DFS Namespaces, an Activity Agent needs to be deployed on all DFS -servers. +- For FSAC scans, configure a custom host list to target the cluster's **Role Server**. +The host targeted by the File System scans is only the host entry for the cluster. + +:::note Example: + +The environment has a Windows File System Cluster named `ExampleCluster1` with three nodes named `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. There would be four host entries in the Access Analyzer Master Host Table: `ExampleCluster1`, `ExampleNodeA`, `ExampleNodeB`, and `ExampleNodeC`. Each of these four entries would have the same value of the cluster name in the `WinCluster` column: `ExampleCluster1`. An additional entry containing the File Server Role Server name(s) should also be added, including the WinCluster name of the nodes. This File Server Role Server name will be our target host. +::: + +### Host Mapping :::note -The FileSystem > 0.Collection > 0-FSDFS System Scans Job in Netwrix Access Analyzer -(formerly Enterprise Auditor) can be used to identify all DFS servers. +Host Mapping is only required for multi-role cluster setups. See topic [Windows File Server Activity Auditing Configuration - Multi-Role (Advanced) Setup](https://docs.netwrix.com/docs/activitymonitor/9_0/requirements/activityagent/windowsfs-activity) ::: +1. Create new table in the Access Analyzer database to be used as the Host Mapping table. The column names are case sensitive. + 1. **3 Columns:** LogLocation, HostName, Host + 2. **Data Type:** nvarchar(MAX) + +![Host Mapping Table Design](/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp) + +2. Configure the new host mapping table to such: + 1. **LogLocation:** Name of the host/node where activity logs reside. + 2. **HostName:** Name of the configured Report hostname as value in the Activity Monitor. + 3. **Host:** Name of the host being targeted in the FSAC scan and Bulk Import which the activity events will be mapped to (Role Server). + +![Host Mapping Table Example](/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp) + +3. Enable host mapping on the *Activity Settings* tab of the FSAC System Scan query configuraton. See topic [FSAA: Activity Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/activitysettings) for additional information. -The credential used to deploy the Activity Agent must have the following permissions on the server: +### Least Privilege Permission Model for Windows Clusters -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only +If a least privilege model is required by the organization, then the credential must have READ access on the following registry keys: -It is also necessary to enable the Remote Registry Service on the Activity Agent server. +* `HKEY_LOCAL_MACHINE\Cluster\Nodes` +* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters` -For integration between the Activity Monitor and Access Analyzer, the credential used by Access -Analyzer to read the activity log files must have also have this permission. +Additionally, the credential must have READ access to the path where the activity log files are located. \ No newline at end of file diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md index 75d43d167f..0f7c03c296 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/overview.md @@ -7,15 +7,15 @@ sidebar_position: 120 # Windows File Server Target Requirements Netwrix Access Analyzer (formerly Enterprise Auditor) can execute Access Auditing (FSAA) and/or -Sensitive Data Discovery Auditing scans on Windows file servers. The Netwrix Activity Monitor can be +Sensitive Data Discovery Auditing (SEEK) scans on Windows file servers. The Netwrix Activity Monitor can be configured to monitor activity on Windows file servers and make the event data available for Access Analyzer Activity Auditing (FSAC) scans. ## Access & Sensitive Data Auditing Permissions -- Permissions vary based on the Scan Mode Option selected. See the +Permissions vary based on the Scan Mode Option selected. See the [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/filesystems.md) - topic for additional information. + topic for additional information on the various scan modes available and [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md). **Windows File System Cluster Requirements** @@ -27,7 +27,7 @@ instructions. See the [Windows File Server Access & Sensitive Data Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/access.md) topic for instructions. -## Access & Sensitive Data Auditing Port Requirements +### Access & Sensitive Data Auditing Port Requirements The firewall ports required by Access Analyzer for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans are based on the File System scan mode to be used. See the @@ -36,36 +36,21 @@ topic for additional information. ## Activity Auditing Permissions -Requirements to Deploy the Activity Agent on the Windows File Server - -The Netwrix Activity Monitor must have an Activity Agent deployed on the Windows file server to be -monitored. While actively monitoring, the Activity Agent generates activity log files stored on the -server. The credential used to deploy the Activity Agent must have the following permissions on the -server: - -- Membership in the local Administrators group -- READ and WRITE access to the archive location for Archiving feature only - -It is also necessary to enable the Remote Registry Service on the Activity Agent server. - -For integration between the Activity Monitor and Access Analyzer, the credential used by Access -Analyzer to read the activity log files must have also have this permission. +Permissions vary based on the Scan Mode Option selected. See the + [File System Supported Platforms](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/filesystems.md) + topic for additional information on the various scan modes available and [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md). **Windows File System Cluster Requirements** See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for instructions. -**Windows File System DFS Namespaces Requirements** - -See the [Windows File Server Activity Auditing Configuration](/docs/accessanalyzer/12.0/requirements/filesystem/filesystems/windowsfile/activity.md) topic for instructions. - **Activity Monitor Archive Location** If the activity log files are being archived, configurable within the Netwrix Activity Monitor Console, then the credential used by Access Analyzer to read the activity log files must also have READ and WRITE permissions on the archive location. -## Activity Auditing Port Requirements +### Activity Auditing Port Requirements Firewall settings depend on the type of environment being targeted. The following firewall settings are required for communication between the Agent server and the Netwrix Activity Monitor Console: @@ -80,7 +65,7 @@ port range, which cannot be specified via an inbound rule. For more information, [Connecting to WMI on a Remote Computer](https://msdn.microsoft.com/en-us/library/windows/desktop/aa389290(v=vs.85).aspx) article. -Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor +**Additional Firewall Rules for Integration between Access Analyzer and Activity Monitor** Firewall settings are dependent upon the type of environment being targeted. The following firewall settings are required for communication between the agent server and the Access Analyzer Console: diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodepermissions.md b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodepermissions.md index ab11ca5a24..f50afaac10 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodepermissions.md @@ -6,27 +6,13 @@ sidebar_position: 10 # Applet Mode Permissions -When File System scans are run in applet mode, it means the File System applet is deployed to the -target host when the job is executed to conduct data collection. However, the applet can only be -deployed to a server with a Windows operating system. The data is collected on the Windows target -host where the applet is deployed. The final step in data collection is to compress and transfer the -data collected in the SQLite database(s), or Tier 2 database(s), back to the Access Analyzer Console -server. If the target host is a NAS device, the File System scans will default to local mode for -that host. - -Configure the credential(s) with the following rights on the Windows target host(s): - -- Group membership in the local Administrators group -- Granted the “Backup files and directories” local policy privilege -- Granted the “Log on as a batch” privilege -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the target host/proxy server as well as on the Access Analyzer Console -server. This is required by either the user account running the Access Analyzer application, when -manually executing jobs within the console, or the Schedule Service Account assigned within Access -Analyzer, when running jobs as a scheduled tasks. +When File System scans are run in applet mode, it means the File System applet is deployed to the target host when the job is executed to conduct data collection. However, the applet can only be deployed to a server with a Windows operating system. The data is collected on the Windows target host where the applet is deployed. The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the Access Analyzer Console server. If the target host is a NAS device, the File System scans will default to local mode for that host. + + +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the target host/proxy server as well as on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. + + +Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. :::tip Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for @@ -34,20 +20,25 @@ Applet Mode or Proxy Mode with Applet scans) to determine the system platform an the applet. ::: - :::warning The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start. ::: +See the [Applet Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodeports.md) topic for firewall rule information. -Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the -server where the applet is to be deployed in order for Sensitive Data Discovery collections to -successfully occur. +## Accounts Used +- **Job Execution:** Scheduled Task or Console User (launches the job) +- **Target Access:** Connection Profile Account (always used for scanning) -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. +:::note +By default, the Applet will run as the connection profile account unless an additional credential is added to the connection profile using either **Task (Local)** or **Task (Domain)**. +::: -See the [Applet Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/applet-mode-scans/appletmodeports.md) topic for firewall rule information. +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/) page for specific requirements per target file system. + +## How do I determine if I’m using Applet Mode scanning? + +The best way to verify if you’re using Applet Mode scanning is via the FSAA Data Collector Query Settings > [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/scanserverselection) page: + +- **Automatic** — If the target host being scanned is a Windows host, NEA will deploy for FS scanning. \ No newline at end of file diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodepermissions.md b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodepermissions.md index e5cdb53c2b..fdad7eebc1 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodepermissions.md @@ -6,47 +6,35 @@ sidebar_position: 10 # Local Mode Permissions -When File System scans are run in local mode, it means all of the data collection processing is -conducted by the Access Analyzer Console server across the network. The data is collected in the -SQLite database(s), or Tier 2 database(s), on the Access Analyzer Console server, and then imported -into the Access Analyzer database, or Tier 1 database, on the SQL Server. +When File System scans are run in local mode, it means all of the data collection processing is conducted by the Access Analyzer Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the Access Analyzer Console server, and then imported into the Access Analyzer database, or Tier 1 database, on the SQL Server. -The account used to run either a manual execution or a scheduled execution of the File System scans, -must have the following permissions on the Access Analyzer Console server: + +The account used to run either a manual execution or a scheduled execution of the File System scans, must have the following permissions on the Access Analyzer Console server: - Group membership in either of the following local groups: - - Backup Operators - - Administrators + - Backup Operators + - Administrators -Configure the credential(s) with the following rights on the Windows host(s): -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. -For Windows Server target hosts, the credential also requires: -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege +If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 additional GB of RAM per host.  By default, SDD scans are configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts at a time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). -In order to collect data on administrative shares and local policies (logon policies) for a Windows -target, the credential must have group membership in the local Administrators group. -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the Access Analyzer Console server. This is required by either the user -account running the Access Analyzer application, when manually executing jobs within the console, or -the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled -tasks. +Firewall rules must be configured to allow for communication between the applicable servers. See the [Local Mode Port Requirements](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/scanoptions/local-mode-scans/localmodeports) topic for firewall rule information. -If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount -of RAM. Each thread requires a minimum of 2 additional GB of RAM per host.  By default, SDD scans -are configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts -at a time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). +See the [Local Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodeports.md) topic for firewall rule information. -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. +## Accounts Used +- **Job Execution:** Scheduled Task Account or Console User (launches the job) +- **Target Access:** Connection Profile Account (always used for scanning) -See the [Local Mode Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/local-mode-scans/localmodeports.md) topic for firewall rule information. +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/) page for specific requirements per target file system. + +## How do I determine if I’m using Local Mode scanning? + +The best way to verify if you’re using Local Mode scanning is via the FSAA Data Collector Query Settings > [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/scanserverselection) page: + +- **Automatic** — If the target host being scanned is a NAS/Non-Windows host, a Local Mode scan will be utilized. +- **Local Server** — This will utilize a Local Mode scan, regardless of the OSType of the target host. \ No newline at end of file diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeservicepermissions.md b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeservicepermissions.md index 5b009c0069..3404194000 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeservicepermissions.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeservicepermissions.md @@ -6,62 +6,27 @@ sidebar_position: 10 # Proxy Mode as a Service Permissions -When File System scans are run in proxy mode as a service, there are two methods available for -deploying the service: +When File System scans are run in proxy mode as a service, there are two methods available for deploying the service: -- Pre-Installed File System Proxy Service – File System Proxy Service installation package must be - installed on the Windows proxy servers prior to executing the scans. This is the recommended - method. -- Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the - Windows proxy server when the job is executed +* Pre-Installed File System Proxy Service – File System Proxy Service installation package must be installed on the Windows proxy servers prior to executing the scans. This is the recommended method. +* Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed -The data collection processing is conducted by the proxy server where the service is running and -leverages a local mode-type scan to each of the target hosts. The final step in data collection is -to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to -the Access Analyzer Console server. +The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. -The secure communication is configured during the installation of the service on the proxy server. -The credential provided for the secure communications in the installation wizard is also added to -the Access Analyzer Connection Profile assigned to the File System Solution. **File System Proxy Service Credentials** -The service can be run either as LocalSystem or with a domain account supplied during the -installation of the File System Proxy Service with the following permission on the proxy server: +The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server: -- Membership in the local Administrators group -- Granted the Log on as a service privilege (**Local Security Policies** > **Local Policies** > - **User Rights Assignment** > **Log on as a service**) -- If running FSAC, the service account in the credential profile requires access to the admin share - (for example, `C$`) where the `sbtfilemon.ini` file exists +* Membership in the local Administrators group +* Granted the Log on as a service privilege (**Local Security Policies** > **Local Policies** > **User Rights Assignment** > **Log on as a service**) -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory. +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory. -**Windows File Server Target Host Credentials** - -Configure the credential(s) with the following rights on the Windows host(s): - -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege - -For Windows Server target hosts, the credential also requires: - -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - -In order to collect data on administrative shares and local policies (logon policies) for a Windows -target, the credential must have group membership in the local Administrators group. **Sensitive Data Discovery Auditing Consideration** -Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later. If running Sensitive -Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM. Each thread -requires a minimum of 2 additional GB of RAM per host.. By default, SDD scans are configured to run -two concurrent threads. For example, if the job is configured to scan 8 hosts at a time with two -concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). +Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later. If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM. Each thread requires a minimum of 2 additional GB of RAM per host.. By default, SDD scans are configured to run two concurrent threads. For example, if the job is configured to scan 8 hosts at a time with two concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32). **Secure Proxy Communication Considerations** @@ -79,12 +44,27 @@ scan. See the [FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement/certificatemanagement.md) topic for additional information. -**Access Analyzer Connection Profile** - -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. - See the [Proxy Mode as a Service Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/as-a-service/proxymodeserviceports.md) topic for firewall rule information. + +## Accounts Used + +- **Job Execution:** Scheduled Task or Console User (launches the job) +- Console ↔ Proxy: **NAA** **Computer Account (Kerberos)** +- Target Access (Proxy ↔ Targets): Connection Profile Account +:::note +If the service is deployed by the File System Scan job (as opposed to manually installed), the account used by the connection profile will be used to run the FSAA Proxy Service unless **Run service as Local System** is checked on the Applet Settings page of the job query. Alternatively, a credential added to the connection profile using either **Task (Local)** or **Task (Domain)** can be used to run the service. + +## How do I determine if I’m using Proxy Mode with Service scanning? + +The best way to verify if you’re using Proxy Mode with Service scanning is via the FSAA Data Collector Query Settings:: + +### Pre-Install File System Proxy Service +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: Require applet to be running as a service on target +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” + +**_OR_** + +### Deploy Service on Scan +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: Windows Service +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” \ No newline at end of file diff --git a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletpermissions.md b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletpermissions.md index 58f97fdf5a..d830390d13 100644 --- a/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletpermissions.md +++ b/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletpermissions.md @@ -6,32 +6,15 @@ sidebar_position: 10 # Proxy Mode with Applet Permissions -When File System scans are run in proxy mode with applet, it means the File System applet is -deployed to the Windows proxy server when the job is executed to conduct data collection. The data -collection processing is initiated by the proxy server where the applet is deployed and leverages a -local mode-type scan to each of the target hosts. The final step in data collection is to compress -and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access -Analyzer Console server. +When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the Access Analyzer Console server. Configure the credential(s) with the following rights on the proxy server(s): - Group membership in the local Administrators group - Granted the Backup files and directories local policy privilege - Granted the Log on as a batch privilege -- If the applet is deployed as a service, the service account requires the Log on as a service - privilege - - See the [FSAA: Applet Settings](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/appletsettings.md) topic for - additional information on the applet launch mechanism - -- If running FSAC, the service account in the credential profile requires access to the admin share - (e.g. `C$`) where the `sbtfilemon.ini` file exists - -Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the -installation directory on the proxy server as well as on the Access Analyzer Console server. This is -required by either the user account running the Access Analyzer application, when manually executing -jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when -running jobs as a scheduled tasks. +Additionally, the credential must have `WRITE` access to the `…\StealthAUDIT\FSAA` folder in the installation directory on the proxy server as well as on the Access Analyzer Console server. This is required by either the user account running the Access Analyzer application, when manually executing jobs within the console, or the Schedule Service Account assigned within Access Analyzer, when running jobs as a scheduled tasks. :::tip Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for @@ -46,26 +29,10 @@ for network authentication” must be disabled in order for the applet to start. ::: -Configure the credential(s) with the following rights on the Windows host(s): - -- Group membership in both of the following local groups: - - Power Users - - Backup Operators -- Granted the “Backup files and directories” local policy privilege - -For Windows Server target hosts, the credential also requires: - -- Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local - Policies > Security Options privilege - Sensitive Data Discovery Auditing scans require .NET Framework 4.7.2 or later to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. -When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials -within the Connection Profile assigned to the File System scans must be properly configured as -explained above. Also the firewall rules must be configured to allow for communication between the -applicable servers. See the [Proxy Mode with Applet Port Requirements](/docs/accessanalyzer/12.0/requirements/filesystem/scanoptions/proxy-mode-scans/with-applet/proxymodeappletports.md) topic for firewall rule information. @@ -77,3 +44,20 @@ must be configured via the File System Access Auditing Data Collector Wizard pri scan. See the [FSAA Applet Certificate Management Overview](/docs/accessanalyzer/12.0/admin/datacollector/fsaa/certificatemanagement/certificatemanagement.md) topic for additional information. + +## Accounts Used +- **Job Execution:** Scheduled Task or Console User (launches the job) +- Console ↔ Applet: **NAA** **Computer Account (Kerberos)** +- Target Access (Applet ↔ Targets): Connection Profile Account + +:::note +By default, the Applet will run as the connection profile account unless an additional credential is added to the connection profile using either **Task (Local)** or **Task (Domain)**. +::: + +The account used in the connection profile associated with the File System scan jobs, should have the appropriate permissions required to access the target host. See the [File System Supported Platforms](https://docs.netwrix.com/docs/accessanalyzer/12_0/requirements/filesystem/filesystems/) page for specific requirements per target file system. + +## **How do I determine if I’m using Proxy Mode with Applet scanning?** + +The best way to verify if you’re using Proxy Mode with Applet scanning is via the FSAA Data Collector Query Settings below: +1. [Applet Settings](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/appletsettings) > Applet Launch Mechanism: MSTask Task Scheduler +2. [Scan Server Selection](https://docs.netwrix.com/docs/accessanalyzer/12_0/admin/datacollector/fsaa/scanserverselection) > “Specific Remote Server: “ **OR** “Specific Remote Servers by Host List” \ No newline at end of file diff --git a/static/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp b/static/images/accessanalyzer/12.0/requirements/target/config/HostMapping1.webp new file mode 100644 index 0000000000000000000000000000000000000000..2ef35d5acced8d0022be5a2e3d33eb61a87fb069 GIT binary patch literal 7298 zcmV-|9DUNotqPCrRLW4_=$;Q#A-pZ_t^_y1ei zNBbZA?_dwx&s!h<9?8Gt`anPV`hb7`>qqN%^-kOWv;I^6S@k!=mydnC^^wirOB$5? zgX^c~e>T6X`-T1s@{7*ji+|mEfqqN;kNltZf5yHj4NuG?*q@gFl>YPk&;EnZm-K(k zFX>+e{W1SX_Gk71{ImJD`R~q;cz>qFg8r&-PxxU&nu=|CRp-{uA|o=}-2b z_-B0u9|Hse|+<#-=*N^=oYSwe5F8z=z zGm)KA#=^_)hPa*+{oB6VA>gkEBXU3+2*~d$!kkvX;n&2oX>QF;Gq7jK*}U6!FT-dW zuFr-Kv^uxGUm>kI*Uxtv*e>~1wvax$MepGF$lo{RYhnI7rt$;i39}>$Gco+E&07tR z2r@LTpvhOuH-q9e?h zDGuMF3W523uxllYflk-!%gw?Lhpk5MY#Jn?Cl#f^X{Q+dXY7iB$4)&7C?m&govGD# zn9#@n46X=&#`E7)J{{Et_a~Pcz5TnV@Jah9nK?x#+U9KvXMe_8UjwTNu((c7f#AeFvVK^wI%EvS=(aN=bxv%7$C-4Qs>&a~^-!pSvyX3``5l!K4>WBj43d_qen zWaaJd+$ly=YVvLi(o)Un=sSYJ9Af&(J1gk$EdP?n0Kg@w_TTgD9Yf!NG*K|5lm=a} z!+i&(>)y3;KG9x@37i9nNExI)uE8#HYfoc!p8|TEv>APPP@B~5$#8pDf75R+K+NWI z-&H=(CB{06#t(+G#8n`pSZU69D-yS+3e#7G(~Vquw z#SREUlvF@lyP0TL8Rd){Zpu!`s45L28)wVN2#Au)q&%*a%7#-)4*DjTaCg2RVH(u* z?eO~u)~Ba$BBGK#qMRVxD`7Rzj?jV**bMApzzV$lma0KUzMRa|3u!cI1&M$V008_C zorR8bEdSZI1ITgE5$f$wi|T7xf9ubY4?&B3^{jTBgFX9Rc#il8rZf=Xp$)F)psjZN zk_TjDVjsAG$=Z^wke%#Md5J;0^^xOnGNgT0qd_ct9!<7cQv44`!C%r#!IEsLSb^=* zsep*Xeu-Nk#6L}wy~tcuy8!t95dKviKs9ZWAnj{&zQA&|2N2dYkJ0||w_~9BDC$)y z{B15PaQtg#!b8N0&N|1e@J0mjLFm0QX3#nH7AumEzjbRZk)#*S#|8>m{(8mt8~)3)8`V})4n{ixpm;f3<)y5`=)=lwx$gX=R#ciij3iH z+4OT3%rWhNP>X8%3nG2M&aiXd2wSCKmG(p8x|>Y52cyT(U$caxaP|OtUfr!cKHA!( zZt5q2$TB7-^nfw3ywP;n={V!=OWLD7Wnw5?gLrcUK-I0?)w_TGVBS@@k)qGf5n~U? zzOg|yMdRm%Ib<>iEwGyBWway{0(k5iEZ@Srl^eMfT=Lz=gz@iUtw!MO;oAL|iIO@mT@+lW!kR0uIrD|eFujFiTMp>& zJSrr*_^Wb7z7FS-*LXk)TB#eQO;$l&>_%o4=j#&$#I>8e6OpbaqTk>Amin3 z#J)-RI2e<=B9BAlu%v+u3Tlo#+YEewN$q1wxSOcf5xl)un1z5A!Xos#d|1GYyE5i<1i?gE^HPZ1Yzt z1KE=&E9Qt6_~N)m1E>Q)CaAKuWx_Db)3AQRPwvxb|0>`M8aVC^P&y1{e}9-yM7G0% z&XH7Wo2_J=0a3^$PXI(~FQ8>$37xNeYEo1lO)#n!&N&f{#8S}a^&5~S%L5b)c&VvP z-(Oy^@(_bRB3B*78zi^%Jos4c!c-sqPds5#p8JrEnbe4Eo@Q#g&PM)Xb|-Iul6+$H z8>q=pvFOYaMXm{nOU?Qo|~4D2UB=TN_{o!hnI_|NjO}M9B@u(X}Og z!e|NeI4Q)v_5jP?e>7xir@9#Om(T}ye56xkI)^GXk}+88mA8OzR^+rTNSBTD>cVGg z8O@27&Z&wX~VBd9dt)7+80U30(_-B)knZquKuo-HCay%$pES(-)b;hbK ze=@*nnSpAhZl>52K`&0{C$VT|Gh*t;MagCW-5dRO4g4ZS*^PW#Q-|w5F|AVB zN}`SI42dBN%_MQW#R)Sgc_Q0BC>-B@#)U@le!-<=PgF;i7<&StsArDy0K$Z0msPrM z2EbT2Ev=&t@g=jlk+SK^|E2%AwSZdMYP>WL`tU{81fq;C*SlsGSH)U%3)rmOh5f%? zEDmEVZI|Wt%lX5G2c9vw?$|afrvI`e1_~bz`#px6<3$PemxN1~mT1D2qWY}K$;TQe zw5*rGwFTYyT!^(#im>Zr_Tk-w*)R64kL8Vz;jZn%jf5Hvst@fC%+ge+*=P%%uow5Z ziUm|&7hRj;h=<3`NCY8uRekD6S(H~2Es;lB31EBD$->+?-+JDGIDN?Dy{;zvwznH*pHx3>tv5rz-^CqI)mobMrj)pbA z2A&0HyTRolKw@^J&cCEG#w@*|k5p}spq?0jL!mkfxBP2@>XEMS1Fky8qn5Sj#r=Cm zE1s0@U7Em;@qb!pPm0uggDY|9t6*hY7~RT;z1slf01`(!h|+RimIOVMR2gD%4>0$i zB1qWJJE6JZUn|=hDG(2gY>X<+3Mj8%(K0nd#p1y~AW)59NMs3Z90h5+)Vuj9DGUys zhfV;uy7GNk^oRs+Q@hGePu8P6%JeFTjIm_@^l#Zh_Ru z>XO@3lY7bDAw`{+O+EijP^Kz8s(Rh7cAM+J?cy>Bk0raBity=u~J`M`Y zYOIR97%-p4aBGrUN_nR)@kh$|Y9G-|<$}yk0v){H8rcVy4e)66MVt=rZUO21B=dy@ z?m)AkN2}~|qrIX7Ns;m+bJWkL>EWWdJ)eFBdiSiBib;Cx0-zE+nnqw5;=fR`OV<#7 zC=%V;pFDyve51$N-u^^sNV8DxudtM$*r2Ehr7;K%U8IiI(_O@LYi~Xd@IVGGq|%lt zj7TB)1kbdEwhUmIo|9RFkoAadz%FTv6V?>p2&1R4H{QC+p9klhmW%leNRFk>Xz*Ug zQ|o4+cg0%!2s2vF-Q>hAIF=6HZ0T)rEnR2L?oSM0@&m;ncnBc{7gA|RXJGOJ#UOWS zDR@Fa8UY&NQBLed2V7J?Ej~FRk63@W;=D(V$7*tA!Fz7gbqEaXeRz4Ck_u1Zp7gx) zf7&o@$(sy6C_QyS^{?WwdVMRjk=ob&CKOZz(vX;Vg*X~@sHT>#(no7xDg`+Jarw@> zc00uck_e;3hKaDgNo8Yn$#Gi6d@96$j(2M$>64KDRZI3qfUkLE1EY0$gNZM>9mBSa zZZ3oTIo!jKj4s~>1;-8eQM<;pjXqpHL?T#=G6+$-#F}He^xU|Zr{G_lN5!?6 zvs)-4%jx@No|!ywX6Bog_2A-w#zp+$|2AdX2+oO+Cq#VSFd{q4a9`Cs^V}7wNGgBM zi#wN@31O^UzrX7r`lKqrC#ElLF6$E%597|vbzcgrXEUs83#riJSYF=Xpgzw} z;lV$0;;!0rkp^Tla`EZhL^K(VFQe&|GcNW=gX1AbP3U84k*K1w7$izGgoEJpru|1j zo56OT_2`$n%_v!Z_m`-H%D00Vhe#Dss9^|GE@a^d=sijzN_6#sAB5bA>boIFL^T}v zk=5nbht)~L^BVPq8E3jBHvtEI6L;x+9~lZ7?*F2fUi`S>>AZWz_I_x&*sT!*o~UV# z;x|%9j@NtGe-K5pa_W?*cI(34lt{UUo40BD7tQ}X=BshcbuO&kc^t8O-|y0N)_nY%%_ z1SYFO7IF{bBkh;2Q!uSZe#<{9t$;DVQAQ8vWU+eA#6xHWh6+P2;ge)i;<2pEAY%9fFegO zGc`O>yDI{g`HV1-8WJ?1$dIO0qt}aY{yJI(jhF|@VF=uw#s$8Cr~6PSI{s(?*YKxQAJL9a$IM`oY(k2^YC7mF zm{>HwK5GjI#$+3o;J62hao)IV2Q5~b*dmvpdLzB7H-aN5^rv78`zR!Q+QHea!_Uhf%Goaj-q zE>&G?=4QarPFu|rJh<~2&K)I+xQbqbjAi66x_7YnAycS1ScXIRJ;^xE|6!~G`HSy6 z)*f80E}?iSp_(h*l`r;AQ{2gad}L zpHfqY<`fgy_NYp}5UNdi7*v;k+m&bvZtB!iKMxwDFp@kc8i8?PHUk2a0@7OOVnl0^zQCRuS-=i__=9zG1t`>9qNtGJK(~=yS_;}9z zth5{?2TW4L97VM<3zjuK3yZ2AGruQyxwvhH?SLMg7A-l)BJRf6ozZ3Hf43CKGXOu_ zN0r8a;^ZdewTZV<59gWfJO<_F5j-cn*SwNa&Xd&kSs89wV0Y+PTJWt-&uyh?#-VS0lD>0-Y0ES}kMd?rhRRD~Z$Ap(x>EhdiDA1|@t*o%2ejDH zfSRlN{;!q44L^Ki%W9bBd1whKfY>|7Qm&~Ga{QHOA6Q_c#R&3J!yk1M`(4g#4Fbi zaO7Xl8$D}@k>o_tfq!>cH6)c{mxWG;$S-otuQlIz-hXl;-fS!H`vTz;(uo3Pdm;kc!H0 zKP^I3xkdfiT$=J@yYPl}Ez}P#H@^S3+^&kX%lF?~;r%}!Va~*nzxIWVjQ0!RZ;VnF zW*#WYX2hAI;<9|YcKr4K_1ii>+=2zihA)(NhIXeOz^UqUw85Q-YVIXP-w3vvzeT+b zo-S!eYN>R|oHAv89wty_T2yWwd3GYd1i9;Eg)5=?EeCY}wrDai{nqR(dFD2Cw`VD*hnwKc+nHU#M7)m(Cr?mjSW&f# zepTe<4*B1>OtFeR^p7LN5u>CCdwy`&SBrd;Z_e>RAP;_0cJOZcm1xs<|9uYcd81Wk_? zBL9!Q40saI)V1R$StFH%Otc0 zBvbcpu=2&r{k=}ba@*?FVzw*q8d)_>jxDUN(TL+MHr7~cMd1Jgirlou#f+RJAI^6| zmJ&q8^wPw`vAAsk(Gv@ z9j?LB4OM(8AhNcm7AI_sO<@rF_3E5Px$?u|xSniM!;`Q}edPluvp#7e7j_iD=(Pd+ zy=jkvl;TQUGqC2F-Yo(AauA$QTj*p%K^Z(3=4Y0J4!p?aZWaFs$2KMDJ1hz<*IJqt z-1Lnq^=()&w2nR33g_|zx6SJgPrsG6q6k)5Vt^-ob}?hv#%9_S(Jo&pLxz<1gJTy* z#Aj${zS4)uPN(Bnw4rXh`KlNe{B4KvvwvLp$G~d8^&xkf!~}5Nj2N_B=jX4}(}Sws z=3@$^>#0a-1@g5Ma`#)lZwAAn^G%TN0?G~mtnUg+ESPcQqcS$o_d-MyH<--KuHZS| zI;g_#%t)gnG|~n8yo@}bWwj)A$CVN*D7YvOF#wA4P_v#({{qFdh7^mBvc=@ErG~c| zq3;D+AaXUl8F267uR#PYjUY-sf8EZcSxl>A-xyVgIXWKRUT;kAb7%CsBZ?!TMHe_5 zAyIwI=*nr%`4GQ{NMhsW_^2G5Q>+xdiR789Fg~E)Ju?s4lD!{@wSO{eQzSD4NOK1C zk8`l!wms%A9!}qp+;W*2ucBmuqiPy7bIEHm86k>U6H*;;C|`D(4-mArt976S@blXm z4w^DN^O}Cwhm-OwVPphy?oB+p$pHncI&I_Gmh1HJY6KU3P_dB|zqcwWMNKAO&Ibm7 zlSEVUEKEOcD~dtYVcG)*BU4;+1Xdz!np+Z>H-ijU)6)QenV_}cxx$OTm}HsIwC;|l zpaO|#xfdpaPw)T$0G}U3WqDKk;do*lA=OHg?cvIY!wAc&v_N-dWZlkZW}Jg3BkQU# zFVG31RPF#X?VWd^o<{9 literal 0 HcmV?d00001 diff --git a/static/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp b/static/images/accessanalyzer/12.0/requirements/target/config/HostMapping2.webp new file mode 100644 index 0000000000000000000000000000000000000000..9abf83acbbec2e28f7d6f54580c715fbf711dda5 GIT binary patch literal 8592 zcmV;BA#dJNNk&G9ApihZMM6+kP&gobApii-f&iTXDro_#06vjGnMkFhqM<9(d$6z) z2~F6eKx@JeZF0^Y%N>H+_&tlz9(+J7Cs7I;PWKkQ$yKi7Rh{9EOp!2fIgnf0Cit8kCv zzg_;HoPJMs!zxjWh|NsC0 z?(6@jwa?pc|NiAauwVVgN*@=Wdb4!oiNleopkGcdwN|&SDcZb?Vo*CWM&S>q*By9= zNEVJk>|1Kvp}2)`?y`XDxYDA}R(10cHcrk35Xu(>K_O9%(->T2hzyhKG9oA)%u~>Y zLf0rfky?gdpWp22$AtMONUhsTz={gk%r&#zYl=_I8Vzn9(1zW-G~G2vayjhb_h`7A}*-^(lp=kM~d1uF%SFOn|fy;Bq{I>0KiR*3P{imw3n9~tqk!lC!r4OJuc+3@i zt5!9K>#99(PAaDHn(PxKi!(ZycSX-r^evuE0+tyJwTT^_uBNSv=-1E&{k!HmnNe7k z02%`Jes(XhC2}F*k)Ew}*K^`PBj4(FhYM&``l259Si-QnCHMjV2cU6mE77yEW+ zTP}p_XN7faDZ6m+|MRHZc|*fu8V!xmgXS+XJM1wGg+ccTzc{ck{O)J^6OR!MQvz96 ztG{T!J(#zstFDdT6V*ulf)tkOjor|i(RLjNI0Y=(h0=dMLc2n}>YE&>3^_#bzPE*{ zK5l1O*_)V-0Q!-z|8-RcW82!u80j~rMoKZ26AAt7 zU}uGEa`@lkj|L1g1(#~Rf&ygK>X|>7E~o&d$3Ma`5~_%F-7ap|Q!mu{Q^#ComE}gR zn5JK<5-4kxJp@t)&T~{P;Q@5j%L1c1VQ=SH_GZssY$vfIEaC&I5C8!EIep^*3I=#` zDU#$P@+5sx;{U%?x78jmsi&A%-0qnT3qQDMKWih%(%V5pl%U zT%@pJ7|e5AAAKha^1ytuIG)tdwhC18v7NxwGO?w4|rqlT!M7SSQSX4{WP*~ zX-(4GyN?kg$6WGuJVDQGxL4_oa24`rBF=s&twJ=|6quE^7Dk6JpWK-rs4#NV0Z}gZ z-L+a5x`>4)Rvsu+@!a#5)k##RT(Mw+8w!hjUvv9mm91I|; zU&idkswww7ffyk&FZV*LIpJ#5F?Pk=NiJ{GKR{3VAJsuo7{Z_O&q?R?Nmi|Dak*x^ zOF6M-G2UDf?({ekC-C_LHr9r&whva2@E)-5ZuH<{{e*2MOtPrJ((uYZ&>!sEq_R?6 zWb^qwo1j0guYnfgWHl97 zjVUubKPf!?0;=}5L`$>76*Bs%Fbmqaj(+@3i9|$pxPR(_@J~wG#0}OHkU}?M=gPt> zeqTw&n+dQYl!KT)nX=D~`hme$h3fp3;K!G)2cozP*Zjv!Z4|g~JgcQ%X%U0fk0$c{ zWeP8sNg>73s(@|_@6htg{~w9nJfLJZ`vj>DGOCCi`NXMd$Nz0Mgb=HZNA~ zU+L?+pGZwT+XxW^zowdrD4$rWq-bV<#XW1TCt%*EudVE%{w2|`&T2s|Ng zYyhz1*-kvoQQ?fynZ-GudR%4;S~Q@E zD3#T~O@pIV1<4*(JmN^X1swo~#F`$;hPC!bQmyEO_c7y>-7d3Oc_r0cT}_AZvDw4R zW6m?y>Bk|rP{{O4)ikbIKIqBJw@cpNEncnH01N{_)X6`!U}H{;Z9Qz(dc!Uq zcg;9X3u#vwR#{zUCbm_<+;VY^}{9bJ?)zNP=Y!|%sLPe zF=Dm`;MZD>(U$9qiS2Ix-PrxzjmLox5r$1OdU5}wpIgqHBirz7%}QB__=uND^cvY| zK|BBhtGk#vnfaATDZs!(Z{Wy6w2JQz7F6&i77Fnz-`Lp)Yt@U!BSh4A=C;3-;%nhX zdWg4UiyFS6*(fYq4e_Sv{;bb&&>h*S6(;J<6BA?C?3G3id;j^7M+s3%Ti|mJ$S5*_ zMm=xfd)-C&bK6T$DwJ8YP)dd2DQ8dlY%z_zdRTHPMhls&op zIcs)Tmaa+jidm#NK!l$+k@n5VmPq`f4j%^O+dOWb5n0uM%6CC!1_0$roR*w$VItBa zgRVktaKs{2`R4bLkzgjm#sHLr&MK=(g{uC|&o*KoW~a4IysSgQfD>@ku;-(Q3UU0cmzASu)(<-BaHXwUs##}jg$YzczC9jT(_YA&nxZuB`XyJwp5 znI_5T5c2nXpkg@<3YOm-`%0)(Ns-A!^GMilUd-%T?WQI&QUTp?@srlwNxnkm@b>RT zcvllKIQCA{a=ouy@9Ko*1;$S_B=qz^p2Ze^bS4_42e{6-aq+6Z&mkJ@Tte2|>2^5CBV;cxkZs$x{s3er_hpcg{3EP3WzF zfx8e&6&v7eaE%Iq-h&ODa5C)Z!?PZFI(p^OP?%7FIiFvLj{8}c#-S=B3L?_<42 z01nJt7}CA7hcRMZY>&8iEO~vVm5((e!~PD87WaoSK#dVE za<Amz2^m+0pfa}-^im}>3D{8-tnlz*fqgsvnw zQ(X}^zV32dvCxD+e28tlkH96FfzvzWU!l zk)hX^>BAOvPY_9Z-*M=cWDGlCcwS2z#z*0JmC&=@bt+k|ZU)&ioWwGBMv9rV zJwEi$omPs4%dmosaaijOv7hyiTo{=T8bwSKcnM>t07$Q2w;23vKagkPt4>BBK6K~} zA13hoZ%Hrn>@uDAm zJr~q5KSv&QN0EV;K-st&;@ffd@ZO>XLPiTu_)5^jNf~HctLHTeHOH0%)2GqXWrBi} zYb#N{C2v49ia~b@>ZEH0d^pjO+dcQ!#h+VP7*TDmIWKH&-OFhkzK8hhrCzVEX4b3f zkr?1YHoHEv5Pg-R(m$wRWR)arAy#7kYB*_NAbfPR)!wZ9mNF;qXrL!42ET3*1zFp* z#ey!_^MH-4Ae5G^>l$MLqE-h?Gl{%>|N5MA$KQNd6M|{`Wm?>l;xX!;ZxXwV+VN;z z7E6^q6J&l`CvwA}0iO8@NA@>f&dG`baS^uRrw-F*C3nni#IP8gAf>4fX`NKI#8wv& zQ++W5u8&6hL2DzUlT?VuK3cUgVaIA^+8%p!DlJ`_QpU2?+8~bV+1vKt=`SJoAQzX} zbx0_kuOxD20O{M^00upbHJ*0hJy*praQwwd_7?qj{N(f>K}fgLzpQkstM6-koO74v zHx4+QwN;5b;tb_o3pvEKL%B5Ex7J39{MaRAEwKu`nmjo9MDfB5T|US``@|}iNM4N5 zW$O!3prXRPtSAjwGHrydqX}h$^F>tUItO9X-wUs2Kc31iilb*kT9x7c%TugU`xv9D zrDF9u@EY&ST}t=Ka0R&}lXo$Ix=FXumv}z4<^!Faq!Ajv-E_4WA^b?-{Mu)}d*meD zVt1{3q_px|DGP#R2!Y2-s?;QZ7=AvU>!$)|rmv27;b5R0>LXdZ3n2s6!2aE2BcT!) z%qEl&^$!_VDL&Q9`CMjwh1-Q{h^yP=h>|UzYD->^Ypm*F%;Iw?n5DSKm2qRqJTY|B zcj$7inspXLhi}7v9=fTcUT%*@`$20XqmxvK$39xMF=5AQW!f)~El8>o6q>0S zqQ%`s9W$ozgNWa{X+054!#kPV?Z z{RYH2qEa*U{KzCDTO_9d_UdmFdi;}b})}KBAtMu&D$$CC#Zhw^yr~g zkV^&CL8%-))`ave;$bfDCFZBhd*K1(?5nfh*a0YyYnXVGwq}QG7%opCxpNhUV9JL z0+b3_xBB^N&yX?pAA6@hOE_6O2kv?fGT~9Phn{;Wy1X!5cDcCNksy_7@_CsPg`tUq z!@*@(KZ3CNszZ)WF%f)Ipm>6t-bEow+F&GflQL?qef!zAy3Kx@pnS5FF!PT7Esh+J z#^Ft}V7#(u20aHcO1u=2qmNbc<96i%(^15kbcWUphK?i{XYbRwkVQ$Ui`9}R1$LZ*gU8Kj?ru@Cs?#N<)wT3 z)tB0Y7vWTG>Lk!H&@ZdJ#C4ZKmZ)a~WAeSj4fmFX7ki9U216Q2WPWfy>I{z87pvy# z6}zbu*MRWNDux8`kN(F0YnMT-y$B6h5XpK|yaUnalXy5=amPC88=!9>)KTQL*C4^W zzC66?5Ra|>BOW+X>UnDjF$gPkUO=eUQdTr3ksfgK3DuW>^bR0dE>K10{~hOh=vhsL^qDHS7Z zUXBxxIi!YuJ4pDdGWfL$iQk<&{4_FMDPamYL^ZHT@ln)*bFStjBv7ADJAx}gT*iKG zSv$93B^un8psTKPEN?s%k|236idqeynXJ^w8$36VoGOicnBN?Wu`~-l(T-Mi(q8HU z-kjxnYHamrmJUOb?q&!8TLt-1uVfDL9>j9yE=fC(9bta#B%@oB)D?D5YnJ)VXYX5< z%HavMm0~MP0gJn?xFVD;oJ1l1IHUZt-El!MT(vwk3rcRBbE8;(4ZK@pBn~u<&IO=E z)QQN%PX>N+F{KUVBg#77Ze=5yr}P)=%g%m7Fv8%abq z()K-`y$GlJ>WkYWJYBxi0!SLsbv*s6L{;6dv~>ct!Z;-T=@9N&!Fb%!BeC%uWIWMoK{^ zZq97%bC|}&?6GS4AI7ZU0z%WuW=`r*a3}3QX5m@@sLH*)7Gy^9x~YD;78oncfFj0? ztDARF9Tp;OJ;m7+C&FHx&)-aJ#QA|hQ?#wpaazdSP-Jco?r&^OmMfh1Ockkj2r_?m z4-p5q6ZLgakl8eu=sGAA%&p_KTpzkbDCWR03#Ch3E$aN*O9;9%`!juG)dDOX<3?Tj zw+{|X^d|ZffYALk{j#lbB=QB@Kiayv`Pn(GW&&hjma1`0>qSCca$Dqszh{8BBem*G zt6BlZMr!lgO@R)x8wn5jFsxaQSYaXXP#B`4-=tM^b;oj{{_?wbpjYgo?4Sof2Qs8$ zVv!I>6M@yqPa>;Zlgn(>+bI~yibcF|H(V5}(F78|Y9OT|oS0*b!Pp#O(;uL~8V^0h z=!m5JV9zw+6#;#QIWF=7O&{MkAEGkhh7U1h=S*}aP>6h6ts__ci~wTIH{i=lMz|=i zdBn|1T_s!6${H!kEcMB7+l|QoIiOkTl8P{&xaJaOL}!|Ds9VsW8_h~V=ASp8H`4oI z^atrxpDZ*wtm!C_RF7o;t^&<{V-DW0iR8!AIzlhD4=2)nqX=}iuU8NL-lKgu=@lz; zgy1LmlkRd6_qksH_*Pkdo&z2e;R&8Y=SGJpU$>vk)?FiiUa_;-Bu|?O0)v@XgcqB&f%@81 zUOJf)1<$5g*@`FJ|KO{>g)@8g_p1q#SsG|S&aD-aVE&p8RF%GH3!XtI;M!!h($u(k zskM(CpN?YduV8>$zuCmTB7W%P2wF2Qhv^Hbr9R?F_iV4Q+Y>h^7cEF1NIvszZJkRm z5;g0Wem`&@72EK7B>}E}3lhrE$VxnFABfuef&Vs|zp0EqW@zQ0qlfVrPCmPP6(ePrKl>c*j)2RV$J+>y=%;L;3Xf6gvG zoGeFe@Gn=g@}0%knp0mmC+@WZIaYJ{wm5P_8-+H>grjpEYiU<1l5z{=+_?}9zvcd* zwEFFAAEGPEqs1U>j(JT2ZS-rpbTit**1_onF-@wrpfbhLH!Q0F1jopX{6e4`9Qarf zDXxmu@p0OG*&&krwYSJF{ZTi&(@nZbGuOz%C#$hf8S@EyztCNzM;q(taFj~(EUlJvdSbC;W@}8 zPpS{<8O1Lg>Q!!55sKBO7g|ND?{ZxHb%ibzg2|)4n$8=|_)`K_%O)x6*{Ef`?-Xhp zyBPlwamx6>dCRKq12StW=rdHHAta3&gA>L~Y=Mr6uK#e?6-72uvIsoxVN`S;?+P<< zs+;w?By~Bbm0OJjUjQ}jED)inRL1(E#nkF!VSY|^c6wOwpITw!p7@W z>UO^t)U%Q7v=>YZ*ZRu7eW&u&H-99TcA0=t9TAze*_n3wg95t~{bM^O)qi~wm!y*; zIqs|lRJ8ca+uXd_At(&B+nqAni5?ew)jnx8R^Ol`!5ECxtC)P$`lMc)2a?skh4dAK zIiXxKTx2j7*^U@OF}QSvpBJqd0=fOLUJb# zt(t~g-tk7EtFe#q7aXsQ2b{XD;4>ykgG_N02)i6{A46%THqDzCW&O%BAQfl#uEGnp z^$tKTSvYw9Q$kBlA*L`AwplUh{)!K<)eH{yO@N5(6yZ;x%~F7bnPJv97i@_H#CzmK zq{&1p(gMNQTrhUXn$i9Ebm5VJDUi#ibI(kzOmus0 zLdp|&-YY)<6IpTVT8%p82c!Yet8gF!{M^IiFT-Wo8CFb5pcY^R#ei9Ym`-=+#sO*O z^VoMmB#!Y_ODO0u)uVrBbE!{Iy)TOMR$0YSm2~Qcb)|{S0Z59tGYu?QTSbT02Y$R3 zz`))P-4j*x*|}$)xnR6sTh-8O1x_Mv6LUZrZpU*Tt=XIkF}QU0D6U_>7VTX@ zz0RBU4vKTgHyXI5v93jv)KoOwy#fU3wL6#si1Y1K4j^7dJ+#Kqc{X0wv|q+oaE@<@ z`P_UWS0;wT)8V2bcS)TW*l?vGJ>C}qXC zQorVK&;vmWB(`OM!=)FKb9xmqWE=ep*6P6pI6L9y*-x`ZDH@6$T;yYxHqIK!B9mcI zzylU7Us3oyngT=OsxQRP!1c&e*{o{bUEx$5UR4^^Hf}sOUw#Na268c-#tUgwPGw@PrsO;fzpMV|-uDT_{W^PG}m4H=< zbKcc<4X8Mc{>=j`3xUPB!L8QSf2@}L8w83H0*!X3UqGYOrNO+jS3Ab+gTCMlhoMfn ziTmK3Qu{J-@n@qoJQx#xD?eEPETKHmHKYNG7eyd`&Mx%<3&vKM+_n*V$PY%RX&LmD zs_ao15-xV}@^{J73F8r6-U!agJRuGb<8B9a^<+e!!458iL6Qi$g};!x20I)5Mb3%4 WG8VD`GN1sh%c&<9KmY&$00000(ZTNk literal 0 HcmV?d00001