• Support
  • Forums
  • Blogs

OSSEC remote deployment to Windows 2012 server

GarySH1GarySH1

Entry Level
Has anyone attempted to use the remote deployment feature to deploy the OSSEC agent to a Windows 2012 server?

The feature in question works flawlessly for Windows 2003 and Windows 2008 servers in my environment. The only requirement is that you must allow traffic between the sensor and remote server on ports TCP 139 and 445. I was told that there is a program called winexe that is used to push the software from Linux to Windows.

I have seen discussions on other forums where winexe is not compatible with Windows 2012.

Share post:

Answers

  • Windows Server 2012 has new feature called smartscreen which causes issues with the ossec auto-deployment. SmartScreen is a software signature validation feature to prevent malware being installed on the machine. In this case though since the executable for the ossec agent is being dynamically generated for each host, the signature does not pass and gets blocked (you can see this if you download the executable and manually deploy). The nightly build of winexe supposedly has fixed a related issue with this I believe (don't quote me on that), and microsoft does have a tool released that can whitelist the signatures for the domain. I have not played around though to see what it would take to whitelist the agent.
  • Thanks for the info, wfales.
This discussion has been closed.