The document Windows ADM Templates and Group Policy will assist a security/systems administrator with managing the Windows Snare Agents configuration from Microsoft Group Policy Settings.  This procedure may be used as an alternative to other software deployment strategies such as Microsoft SCCM.

Group Policy Management

The configuration of the agents can be managed using Group Policy Objects. As discussed in Appendix B, the Snare Agent policy key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Intersect Alliance\SnareMSSQL and uses exactly the same settings and structure as the standard registry location. The agent gives the policy location the highest precedence when loading the configuration (that is, any policy settings will override local settings) and as long as there is a complete set of configuration options between the policy and standard registry locations, the agent will operate as expected.

At the end of each configuration setting, one of the following abbreviations are shown: (SGP), (AGP), (LR), (D). These are sources from where the parameter is set, and are defined as follows:

• Super Group Policy (SGP): If different types of snare agents (Snare for Windows, Snare Epilog, Snare Enterprise Agent for MSSQL) are running on a network then SGP can be applied and all the agent will adhere to this policy. The registry path of SGP is Software\Policies\InterSect Alliance\Super Group Policy
• Agent Group Policy (AGP): This is regular group policy applied to all Snare for Windows agents. The registry path of AGP is Software\Policies\InterSect Alliance\Agent Group Policy.
• Local Registry (LR): These are settings assigned to the agent during installation and applied to the agent when none of the SGP and AGP are applied to the agent.
• Default (D): If due to any reason agent cannot read either of SGP, AGP or LR registry values then if assigns the default settings referred as (D).

Super group policy is useful when different types of Snare agents (Snare Epilog, Snare for Windows and Snare for MSSQL) are running on a network. Using super group policy, network domain administrators can update the common agent settings of all Snare agents running on a network using Microsoft ® Group Policy Editor to update the ADM template settings.

For example, network domain administrators can use Microsoft ® Group Policy Editor to update all types of Snare agents on network to send the log to Snare Server running at 10.1.1.1 on TCP port 6161. Once this SGP is applied, all Snare agents will then send logs to Snare Server running at 10.1.1.1 on TCP port 6161.
Snare for MSSQL group policy is also useful when there is a need to update the settings of all Snare for MSSQL running in a network. Snare for MSSQL group policy only updates the settings of all Snare for MSSQL.

For example, network domain administrators can use Microsoft ® Group Policy Editor to update all Snare for MSSQL agents on the network to send the log to Snare Server running at 10.1.1.1 on TCP port 6161. Once this Snare for MSSQL group policy is applied, all Snare for MSSQL agents will now send logs to the Snare Server running at 10.1.1.1 on TCP port 6161.