The document Windows ADM Templates and Group Policy will assist a security/systems administrator with managing the Windows Snare Agents configuration from Microsoft Group Policy Settings.  This procedure may be used as an alternative to other software deployment strategies such as Microsoft SCCM.

Group Policy Management

The configuration of the agents can be managed using Group Policy Objects. As discussed in Appendix B, the Snare Agent policy key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Intersect Alliance\AuditService and uses exactly the same settings and structure as the standard registry location. The agent gives the policy location the highest precedence when loading the configuration (that is, any policy settings will override local settings) and as long as there is a complete set of configuration options between the policy and standard registry locations, the agent will operate as expected.
In the end of each setting, one of these characters are shown: (SGP), (AGP), (LR), (D). These are sources from where the setting can come and are explained as following.

• SGP (Super Group Policy): If different types of Snare agents (Snare for Windows, Epilog for Windows, Snare for MSSQL) are running on a network then SGP can be applied and all the windows agents will adhere to this policy for the common settings. The registry path of SGP is Software\Policies\InterSect Alliance\Super Group Policy.
• AGP (Agent Group Policy): This is the regular group policy applied to all Windows based Snare agents of the same type Eg Windows, Epilog or MSSQL. The registry path of AGP is Software\Policies\InterSect Alliance\Agent Group Policy.
• LR (Local Registry): This is the setting assigned to the agent during installation and applied to the agent when there are not any SPG and AGP applied.
• D (Default): If due to any reason the agent cannot read either of SPG, AGP or LR registry values then it assigns the default settings referred as (D).

Super Group Policy (SGP) is useful when different types of Snare agents (Snare Epilog, Snare for Windows and Snare for MSSQL) are running on a network. Using super group policy, security/network domain administrators can update the common agent settings of all Snare agents running on a network using Microsoft ® Group Policy Editor to update the ADM template settings.  For example, network domain administrators can use Microsoft ® Group Policy Editor to update all types of Snare agents on network to send the logs to Snare Server running at 10.1.1.1 on TCP port 6161. Once this super group policy is applied, all Windows Snare agents will then send logs to Snare Server running at 10.1.1.1 on TCP port 6161.

Agent Group Policy (AGP) can be used to manage each agent type individually.  The Snare for Windows group policy is useful when there is a need to update the settings of all Snare for Windows agents running in a network in a single domain. Snare for Windows group policy updates the settings of all Snare for Windows agents within the Domain.  For example, network domain administrators can use Microsoft ® Group Policy Editor and edit the ADM template settings to update all Snare for Windows agents on network to send the log to Snare Server running at 10.1.1.1 on TCP port 6161. Once this Snare for Windows group policy is applied, all Snare for Windows agents will send logs to the Snare Server running at 10.1.1.1 on TCP port 6161.  However the Snare Epilog and MSSQL agents will not be changed as they will be managed in the separate AGP settings.