DeepSurface: Active Directory Group Policy

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

Using Active Directory Group Policy to Deploy DeepSurface Scans

Using the Active Directory Group Policy to deploy agents or create scheduled tasks to execute user managed scans can be done if another deployment tool is not available, and your hosts are primarily Microsoft Windows machines. You can execute User-Managed Scans or install the DeepSurface Agent on your hosts using GPOs.

Prerequisites

The DeepSurface appliance is installed and configured
The DeepSurface appliance has installed a valid, non-self signed SSL/TLS certificate. (With PowerShell 7.4.4, this item is optional)
Hosts that will run the agent must be able to communicate with the DeepSurface console or subordinate console over TCP port 44305 using the configured endpoint address
The Hosts you wish to scan are joined to your Active Directory domain.

Obtain the Relevant Script

The first step to installing a DeepSurface Agent or running a User-Managed Scan with RiskAnalyzer is to configure the associated endpoints, and then obtain the script related to the specific deployment method.

DeepSurface Agent

In the RiskAnalyzer console, navigate to: Scanning > Agents > Edit Agent Configuration
Ensure the endpoint configuration and blackout settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit Agent Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script. Finally, copy the command and arguments presented on the page for later use.

User-Managed

In the RiskAnalyzer console, navigate to: Scanning > User Managed> Edit User Managed Configuration
Ensure the endpoint configuration settings are correct. For more information on these settings, refer to the embedded product manual. Once finished, save this configuration.
Upon returning from the Edit User Managed Configuration screen, you will be presented with instructions on how to download and run the installation script. Download this script. It will be used below for deploying User-Managed Scans if you are unable to install a valid SSL/TLS certificate on the DeepSurface Console.
Finally, copy the command and arguments presented on the page for later use.

The command and arguments presented on the page should resemble this. The first parameter blurred out below is your certificate thumbprint, the second is your registration code:

User Managed Configuration

NOTE: The name of the script varies depending on deployment method and will be referred to as “<deployment-script>” throughout the rest of this document.

Set Up Your Environment

If you have a valid, non-self signed certificate you have installed on the DeepSurface console following these instructions, you can execute the Agent Installation or User Managed Scan script with a single line, calling the script from the console without having to copy the script to a shared location. Remember, for some older Windows clients the Let's Encrypty CA is not trusted.
Without a valid SSL/TLS certificate, you will have to create a share that is accessible by the hosts you will scan.
- The share should be secured effectively, and should be accessible read-only by a service account with a sufficiently complex password that the script will be run as on the workstations in question.
The service account needs Admin permissions on the hosts you will scan.
Open the Group Policy Management and create a new GPO.

Create New GPO

Select your newly created GPO and edit the scope to include parameters that will apply to the hosts you wish DeepSurface to scan.

Create New GPO

Right click your new GPO and select edit, then navigate to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks, Right click Scheduled Tasks and select New > Scheduled Task.

Create New GPO

Set the Action to 'Create', Give the GPO and appropriate name, and set the program to run to be:

'c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

If you have a valid SSL/TLS certificate installed. If you have installed Powershell 7.4.4 or later and intend to install it on all hosts you are going to be scanning DeepSurface with, select:

'c:\Program Files\PowerShell\7\pwsh.exe'

Create New GPO

If you have a valid SSL/TLS certificate installed on the DeepSurface console, and are using Powershell 5.1 or Powershell 7.4.4, In the Arguments field, enter the following command, all on one line.

-Command $Script = ((Invoke-WebRequest -Uri https://<FQDN of your DeepSurface Console>/agent-setup/<deployment script name>).Content); $ScriptBlock = [Scriptblock]::Create($Script.Content); Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList ($args + @('<certificate thumbprint>') + @('<registration code>') + @('<FQDN of your DeepSurface Console>:44305'))

If you do not have a valid SSL/TLS certificate and you are using Powershell 7.4.4, you can use these command arguments It is important to understand that using this option skips certificate validation checking and may allow an attacker to tamper with the script that is downloaded. DO NOT use this method if your DeepSurface console is accessed over public networks.

-Command $Script = ((Invoke-WebRequest -Uri https://<FQDN of your DeepSurface Console>/agent-setup/<deployment script>).Content) -SkipCertificateCheck; $ScriptBlock = [Scriptblock]::Create($Script.Content); Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList ($args + @('<certificate thumbprint>') + @('<registration code>') + @('<FQDN of your DeepSurface Console>:44305'))

If you do not have a valid SSL/TLS certificate, and you must use Powershell 5.1, you will have created a network share that holds the and place these command arguments in the Arguments field.

\\UNC path\<deployment script> <certificate thumbprint> <registration code> <FQDN of your DeepSurface Console>:44305

Set the 'Start in:' value to %temp%
Set the 'Run as' to be a user that has the required permissions on all the hosts you wish to scan.
Click the 'Schedule' tab at the top of the dialog box. If you are performing User Managed Scans, set the schedule to execute periodically. If you are installing the agent, set the task to run 'Once'. Installed agents get their scanning schedule from the DeepSurface console.

Schedule GPO

Click the 'Settings' tab and edit to suit your needs. If you are installing the agent, click the box next to 'Delete the task of it is not scheduled to run again.'

GPO Settings

The settings in the 'Common' tab can be left as default.
Click Apply at the bottom of the dialog box, and as your scheduled task executes and the DeepSurface console processes the incoming data, you will see your hosts begin to populate in the DeepSurface console.