Securing the Web Console Made Easy

Products Access Analyzer Show & Tell
1

Solution Download

SecurePublishedReports.zip (9.1 KB)

Summary

The Netwrix Access Analyzer (NAA) Published Reports site is not initially configured to use HTTPS, requiring multiple manual steps to enable secure communication.

Problem

Over the years working with Netwrix Access Analyzer (NAA), one recurring challenge has been the configuration of the Published Reports web portal to utilize SSL (Secure Sockets Layer) for encrypted, secure communication. While SSL is a standard requirement for any web-based interface, even those that are only accessed over internal corporate networks, getting it implemented correctly within the NAA ecosystem is often time-consuming, unintuitive, and prone to misconfiguration.

The process typically involves multiple steps:

  1. Manual modification of the “WebServer.exe.Config” file to configure HTTPS and the desired port.
  2. Manually binding the certificate thumbprint to the configured port, either through Windows Command Prompt or PowerShell.
  3. Manually configuring the URL ACL (Access Control List) in Windows to define access permissions for HTTP and HTTPS URLs that are registered with the HTTP server APIs, again either through Windows Command Prompt or PowerShell.
  4. Restarting the web server service for those changes to take effect.

For reference, here’s a link to the documentation that provides the steps to enable SSL:
Securing the Web Console

What’s more, SSL certificates have an expiration date, meaning that we’re going to have to go through removing and binding a new certificate when that time inevitably arrives.

I spent several years working as a Support Engineer before becoming a Systems Engineer, and I can attest to the frequency of customers opening support tickets because their SSL certificate had expired, costing them time they could have likely focused elsewhere.

Solution

The Secure Published Reports job will automate the majority of this burden, allowing you to complete the initial configuration, or just apply a new certificate, in a much shorter time span and with a lot less effort. Just imagine the time saved not having to open a support ticket and schedule a meeting to apply a new or updated certificate!

Instructions

  1. Certificate
    After acquiring the certificate from your Certificate Authority, the certificate should be stored in the Local Machine Store.

    The image displays the welcome screen of the Certificate Import Wizard, guiding the user to import certificates and select a store location for them. (Captioned by AI)
    The image displays the welcome screen of the Certificate Import Wizard, guiding the user to import certificates and select a store location for them. (Captioned by AI)534Ă—494 9.77 KB

    On the next screen, go ahead and select the option to “Automatically select the certificate store based on the type of certificate”, this will save the certificate to the Local Computer Certificate Store.
    It’s a good idea at this point to open the Certificate Manager Console (certmgr.msc) to acquire the certificate thumbprint. Simply double-click on the certificate and then click the “Details” tab.
    This image displays a digital certificate interface showing details such as the thumbprint, friendly name, and key usage. (Captioned by AI)
    This image displays a digital certificate interface showing details such as the thumbprint, friendly name, and key usage. (Captioned by AI)405Ă—515 9.69 KB

  2. Service Account
    The service account will need to be granted “Logon as a service” rights in the Local Security Policy (secpol.msc).

    The image shows the Local Security Policy window in a Windows operating system, displaying user rights assignment and various security settings. (Captioned by AI)
    The image shows the Local Security Policy window in a Windows operating system, displaying user rights assignment and various security settings. (Captioned by AI)620Ă—565 33.5 KB

    Additionally, if NAA is configured to leverage Windows Authentication to the SQL database, we’ll need to ensure the service account has the appropriate Database Permissions to access the database.

  3. Connection Profile
    Next, if we’re not using an existing Connection Profile, we’ll need to create a new Connection Profile for the service account.
    After the Connection Profile is created, we’ll need to assign it to the job. To perform this, right-click on the SecurePublishedReports job, then click “Properties”. From here, you’ll want to go to the “Connection” tab, tick the radio button for “Select one of the following user-defined profiles:”, and finally select the desired Connection Profile from the drop-down menu, then click OK to save the setting.

    The image displays a software interface showing job properties with options for selecting connection profiles, including various user-defined profiles like 'N&A Web Server' and 'MySQL'. (Captioned by AI)
    The image displays a software interface showing job properties with options for selecting connection profiles, including various user-defined profiles like 'N&A Web Server' and 'MySQL'. (Captioned by AI)530Ă—539 5.71 KB

  4. Now that we have our certificate thumbprint and our service account and connection profile configured, we can get to the fun part. You’ll find two configuration parameters for this job, a “Certificate thumbprint to bind” and a “Port to bind certificate”.

    The image displays a configuration interface featuring options to input a certificate thumbprint and specify a port for binding a certificate, with a default value of 8082. (Captioned by AI)
    The image displays a configuration interface featuring options to input a certificate thumbprint and specify a port for binding a certificate, with a default value of 8082. (Captioned by AI)669Ă—232 5.92 KB

    Clicking on the pencil will allow you to configure each option.
    A user interface window prompts the user to change the value of a certificate thumbprint, displaying the thumbprint code and options to 'CANCEL' or 'SAVE'. (Captioned by AI)
    A user interface window prompts the user to change the value of a certificate thumbprint, displaying the thumbprint code and options to 'CANCEL' or 'SAVE'. (Captioned by AI)601Ă—417 7.81 KB

    A user interface prompt indicating the default port for binding a certificate is 8082, with options to change the value and either save or cancel the action. (Captioned by AI)
    A user interface prompt indicating the default port for binding a certificate is 8082, with options to change the value and either save or cancel the action. (Captioned by AI)602Ă—454 8.36 KB

    Once configured as desired, we can click the Run Now button, or right-click on the job and click Run Job.
    image
    image1392Ă—398 18.1 KB

That’s it! When your certificate nears expiration, you’ll be able to simply install the new certificate, get the thumbprint, and run this job to update it.

2 Likes
2

Nice work @kurt.gerth that’s super handy to implement! We’ve historically handled this with PowerShell script to find the thumbprint, update XML, then restart service(s).

Does this also handle Access Information Center certificate? Typically, we use the same certificate but sometimes it’s different depending on the environment.

3

Glad to hear you’ll get some use out of this Justin. It doesn’t currently handle the AIC, however I am working on a separate job to perform that which I’m hoping to get released in the next couple of weeks, time permitting.