Standalone licensing - Windows Server Core

Windows Server “core” editions do not include the Windows “Desktop Experience” and are usually missing a number of tools that can assist with the configuration of Snare agents.

In certain environments, administrators may not have access to a system that can remotely browse the Snare Web UI to gain access to the KeyIDs for license generation.

The below steps detail the process for capturing the KeyIDs of a Windows “core” installation locally, so that licenses can be generated and uploaded to the server for standalone Snare deployments.

Note: This guide assumes that a Snare agent has already been installed in on the server. Steps for installing using the Snare silent installer can be found here: Silent Install - Snare Windows Agent v5 Documentation - Confluence (atlassian.net)

1. Open command prompt on the server and change directory to the Snare installation

cd "C:\Program Files\Snare"

2. Run the openweb.bat script to open the Snare Web UI for access.

openweb.bat

3. Follow the onscreen instructions to complete this process.

4. Run the following command to capture the KeyIDs from the installation:

curl https://localhost:6161/license -k | findstr KeyID

If you receive the below error:

“curl (7) Failed to connect to the localhost port 6161: Connection refused”

Make sure you have a firewall rule in place to allow this traffic. An example cmd command to enable this is below:

netsh advfirewall firewall add rule name="AllowSnare" dir=in action=allow protocol=TCP localport=6161

5. You will receive an output like the below:

6. Copy the KeyIDs as per the below example:

7. Login to the Snare License portal (SLDM) and select Licenses → My Licenses in the left-hand navigation. Once you have located the correct license, select “Enter Key-Ids” and paste in the KeyID copied from the server in Step 6.

8. Once the license has generated, download a copy and place it in the same directory as the installation media on the server.

Note: In step 2 the Web UI was opened for Snare without authentication. To disable the Web UI altogether and limit access, you can run the following command:

“C:\Program Files\Snare\stopweb.bat”

and

netsh advfirewall firewall delete rule name="AllowSnare"

or if you require the Web UI to be accessible for AMC, you can re-enable authentication by stopping the Snare service, running the below command and restarting the service:

reg add "HKLM\Software\InterSect Alliance\AuditService\Remote" /v AccessKey /t REG_DWORD /d 1 /f

You will then be able to authenticate with the Web UI using the initial password set at the time of installation.

9. Export the configuration of the agent by following the steps in the “Silent Install Setup Information File (INF)” at this link: Silent Install - Snare Windows Agent v5 Documentation - Confluence (atlassian.net) and copy the output .inf file to the same directory as the installation media and license.

9. Now that you have the installation media, license and configuration in one place. Change directory to the location containing all files and run the installation using the below command: