Carbon Black Protection, running in High enforcement mode, protects servers by preventing the execution of software that is not explicitly approved. Per the Minimum Security Standards, it is required for all Moderate and High Risk systems. This document outlines the steps for enrolling and managing servers in Cb Protection, with links to more detailed information.
- Prerequisites:
- Install the Splunk Universal Forwarder.
- Obtain a Privileged Access Workstation (PAW) to access the Cb Protection admin console.
- Request an account for the Cb Protection admin console.
- Install Cb Protection:
- Either deploy via BigFix (BigFix for Servers is a prerequisite) or install from a package.
- Using your PAW, connect to the PAW VPN (IDG5540 or su-secops-vpn), open the admin console URL (https://bit9-r1.stanford.edu) in your browser, and change your password the first time you log in. The Chrome browser is recommended.
- Verify that the correct servers are showing in your Cb Protection admin console.
- Set your servers initially to Visibility enforcement mode, then ultimately to High enforcement mode. For information about enforcement modes and changing between them, see Cb Protection Enforcement Modes and Changing Cb Protection Enforcement Modes.
- Regularly monitor the events produced by systems in High enforcement mode via the admin console and/or Splunk.