Security instructions for SES Evolution
For the security and proper operation of SES Evolution, we recommend that you observe the following recommendations.
Applying Microsoft Security Recommendations
Microsoft operating systems have a security mechanism. We recommend that you apply Microsoft’s recommendations on the following topics to your pool:
-
Recommended NTFS file system,
-
Recommended default installation directory configuration,
-
From Windows 10, use the Cortana wizard carefully,
-
Moderate use of cloning workstations and servers,
-
Configuration of the system dump file (dump or full dump file). We recommend configuring the operating system to generate a dump file containing the full memory image when the machine is shut down.
-
As of Windows 8, use of Secure Boot protection is recommended,
-
Permanent activation of Hyper-V functionality on Windows 10 recommended,
-
System partition encryption with BitLocker recommended,
-
Starting with Windows 10, Credential Guard is recommended for use,
-
From Windows 8.1, activation of enhanced LSA protection is recommended,
-
Enable TLS 1.2 encryption and disable TLS 1.0 and 1.1 encryption for communications to backend servers.
For more information on these topics, please refer to the applicable Microsoft documentation.
Configuring Windows Firewall
Make sure that the following port numbers are allowed on the firewalls of the machines hosting the components of SES Evolution and also on all network equipment located between the machines hosting the components of SES Evolution.
Agents
| Protocols | Direction | Port | Comments |
|---|---|---|---|
| TCP | Outgoing | 17000 | Communication with the SES Evolution agent handlers |
| UDP | Outgoing | 53 | DNS queries |
| TCP | Outgoing | 80 | Access to certificate revocation lists |
| TCP | Outgoing | 88 | Kerberos Authentication |
| TCP/UDP | Outgoing | 389 | LDAP authentication |
| TCP | Outgoing | 3268 | GC (Global Catalog) LDAP authentication |
Agent handler
| Protocols | Direction | Port | Comments |
|---|---|---|---|
| TCP | Incoming | 17000 |
Communication with SES Evolution agents |
| TCP | Outgoing | 433 | HTTPS connections to the backend server |
| TCP | Outgoing | 1468 | Communication with a Syslog server |
| TCP/TLS | Outgoing | 6514 | Communication with a Syslog server |
| UDP | Outgoing | 514 | Communication with a Syslog server |
Backend server
| Protocols | Direction | Port | Comments |
|---|---|---|---|
| TCP | Incoming | 443 | HTTPS connections from the administration console or agent handler |
| TCP | Outgoing | 443 | HTTPS connections to the Stormshield public update server |
| TCP/UDP | Outgoing | Variable | Connections to the database engine. The port depends on its configuration. |
| TCP | Incoming | 10443 | HTTPS connections from external systems using public APIs (SIEM/SOAR) |
Administration console
| Protocols | Direction | Port | Comments |
|---|---|---|---|
| TCP | Outgoing | 433 |
HTTPS connections to backend server |
Disabling safe mode for standard users
Safe mode can be used to troubleshoot problems that prevent a workstation from being used when started normally. By default, the Windows configuration allows all users to start in this mode.
However, in safe mode, the SES Evolution agent self-protection is disabled. You must therefore allow only administrators to use this mode.
To disable safe mode for non-administrator users, set the SafeModeBlockNonAdmins value of the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System key to "1" in the Windows registry.