working

Varonis Basic Installation Training Lab

DatAdvantage 8.6
DataPrivilege 8.6
Including SQL 2019

For assistance, please contact [email protected]

 Varonis Training Lab

Table of Contents
Lab Overview ................................................................................................................................ 3
DatAdvantage General Architecture Diagram .............................................................................................. 6
Lab 1: Target System Prerequisites ......................................................................................................... 7
Lab 2: Install Prerequisite Windows Components ......................................................................................... 8
Lab 3: Install Microsoft SQL Server 2019 on the DSP .................................................................................... 22
Lab 4: Post SQL Server Configuration and Validation .................................................................................... 46
Lab 5: Install Varonis DatAdvantage and DataPrivilege on HUB-DSP .................................................................... 48
Lab 6: DatAdvantage Post Setup Configuration & Initial FileWalk ....................................................................... 75
Lab 7: Preparing the HUB-COLLECTOR machine to be a Varonis DatAdvantage Collector .............................................. 86
Lab 8: How to add a Varonis DatAdvantage Collector from HUB-DSP ................................................................... 94
Lab 9: Configuring DatAdvantage for Directory Services ................................................................................ 99
Lab 10: Performing a DatAdvantage Health Check ..................................................................................... 113
Lab 11: Configure DataPrivilege for Basic Functionality ................................................................................ 114
Lab 12: Adding a Data Owner and Base Folder to DataPrivilege from DatAdvantage ................................................. 141

Page 2
Data Governance Suite
 Varonis Training Lab

Lab Overview

The following labs were developed to assist anyone requiring an understanding of the installation procedure for
DatAdvantage (DA) and DataPrivilege (DP). Each Lab provides the exact procedure to install and configure DA and DP.

ACCESSING THE VIRTUAL TRAINING ENVIRONMENT

1. Navigate to https://certification-labs.varonis.com
*Note: Varonis employees cannot use this link to access the virtual training environment. Varonis
Sales Engineers should use https://se-labs.varonis.com/ to access the labs while PS engineers should use
https://ps-labs.varonis.com/.
2. Sign in using your employee/partner login credentials. These credentials are the same credentials you used to
login to https://partneredu.varonis.com

3. On the left-hand side, select “New Environment”

Page 3
Data Governance Suite
 Varonis Training Lab

4. Choose a name for your environment. In this case, I have named it “Basic DatAdvantage Install Certification”
a. Select a template that you want to deploy. The template name is identical to the course that you signed
up for. In this case, I am deploying the “DatAdvantage Basic Installation Lab” template.
b. Select a region that you would like to deploy the template in. Please select the region that is closest to
your location. I am in the United States, so I will be deploying the template in “East US 2”.
c. Choose a window that the lab will be available for. Make sure that you select the appropriate time
zone for your location. I would like my lab to be available from 9 AM – 5 PM EST.
d. Click “Create” once you have filled all the sections out.

5. Click the check button to confirm your selection.

6. Once your environment has been deployed, you will see your environment if you click “Environments” on the
left-hand side. The status of the environment will show a green arrow pointing up when it is ready to be used.
Please allow 5-10 minutes for the lab to deploy successfully.

Page 4
Data Governance Suite
 Varonis Training Lab

7. Click on the recently deployed environment. A panel will appear on the right-hand side. For this specific
template, there are 5 different machines that will be used. Each machine is designated by name. For example,
there is a DSP, Filer, Collector, Domain Controller and a SOLR machine.

8. Each machine has four action buttons. Info, Connect, Stop and Restart.
a. Info – Displays information for the selected server such as its IP address.
b. Connect – Opens a new tab in your browser and opens a RDP connection to the selected server.
c. Stop – Turns off the virtual machine
d. Restart – Restarts the virtual machine
*Note: The connect button functions differently for Varonis employees. Clicking “Connect” will download a
link to an RDP session for the machine you selected. You will then have to enter the username/password for
the machine to connect. The username for all machines is “vrnslab\itadmin” and the password is
“p@ssword1”.

9. If you do not finish the lab in the time period that you selected when deploying the environment, the
environment will shut down. You have the option to restart the lab the next day and pick up from the previous
spot you stopped at by selecting the “Start” option.

Page 5
Data Governance Suite
 Varonis Training Lab

DatAdvantage General Architecture Diagram

General Architecture

Page 6
Data Governance Suite
 Varonis Training Lab

Lab 1: Target System Prerequisites

Overview: The goal of this lab is to determine if the machine has the necessary hardware specifications to run the
Varonis software and that all necessary client information is obtained.

1. Hardware Requirement
a. Connect to the HUB-DSP server by clicking on the link once you have logged in.
b. Open “Server Manager”, then click on “Local Server” the left side of the window.
c. Review the hardware specifications and ensure that they meet minimum hardware requirements for the
DSP/SQL server. The minimum recommended hardware requirements are:
i. Windows Server 2016 and above
ii. 6 – 12 Cores
iii. 24 - 32 GB of RAM
iv. SQL 2017 and above
v. 300 GB Drive Space
In the lab, these requirements are not met, however in an evaluation installation you will want to ensure you
meet the minimum requirements before installing.
d. Keep in mind these are the recommended minimal specifications. For proper sizing in a production
environment, please consult with the professional services team.

2. The next step in all installations, including these labs, is to obtain the following information from the customer:
a. A Domain User Account & Password. This account will be added to the “Backup Operators” and “Power
Users” group on all Windows file servers being monitored. For this lab, the domain credentials will be
“svcvaronis” / “p@ssword1”. This account will also be used for pulling information from Active Directory
and for running specific Varonis services.
b. The SQL “sa” Account Password. SQL can enforce Active Directory password security policies. You will
create the SA account password later in the lab when you install SQL.
c. The customer’s SMTP server address. For these labs the server address is: vrnsexchange.vrnslab.se.
d. The source email address (the “From Address”). For these labs the email account is
[email protected] for all systems.

Page 7
Data Governance Suite
 Varonis Training Lab

Lab 2: Install Prerequisite Windows Components

Overview: The goal of this lab is to install IIS (with ASP.NET), Message Queuing and .NET Framework 3.5 on the DSP
server. IIS is only required when installing DataPrivilege. The DatAdvantage Web Interface uses OWIN and installing IIS
is not required if you are only installing DatAdvantage. .NET Framework 4.7.2 is also required and should already be
preinstalled with all major versions of Server 2016 and above.

1. On the HUB-DSP server, open the “Server Manager” by clicking the icon on the taskbar.

2. Click “Add roles and features”.

Page 8
Data Governance Suite
 Varonis Training Lab

3. Click on “Server Selection”.

4. Click “Next”.

Page 9
Data Governance Suite
 Varonis Training Lab

5. Select the “Web Server (IIS)” Role.

6. When prompted to “Add Feature that are required for Web Server (IIS)”, click “Add Features”.

Page 10
Data Governance Suite
 Varonis Training Lab

7. Click “Next”.

8. Select “.NET Framework 3.5 Features”. Then click the arrow to expand “.NET Framework 4.7 Features” and select
“ASP.NET 4.7”. Lastly, click on the arrow to expand “WCF Services” and select “HTTP Activation”.

Page 11
Data Governance Suite
 Varonis Training Lab

9. When prompted to “Add features that are required for HTTP Activation”, click “Add Features”.

10. Scroll down in the “Features” window and check “Group Policy Management” and Message Queuing. Group
Policy Management is needed for collecting GPO events when Active Directory is being monitored. Message
Queuing is now a required feature installtion for DataAdvantage 8.6.20+.

Page 12
Data Governance Suite
 Varonis Training Lab

11. Click on “Role Services” under “Web Server Role (IIS)”.

12. Select “HTTP Redirection” then scroll down to “Security”.

Page 13
Data Governance Suite
 Varonis Training Lab

13. Select “Windows Authentication”, then expand “Application Development” by clicking the arrow next to it.

14. Select “ASP.NET 3.5”.

Page 14
Data Governance Suite
 Varonis Training Lab

15. When prompted to “Add features that are required for ASP.NET 3.5”, click “Add Features”.

16. Next, select all the “IIS 6 Management Compatibility” components by first clicking the checkbox next to it, then
clicking the arrow to the left of the checkbox and selecting the “IIS 6 Metabase Compatibility”, “IIS 6
Management Console”, and “IIS 6 Scripting Tools”.

Page 15
Data Governance Suite
 Varonis Training Lab

17. When you check “IIS 6 Scripting Tool” you will be prompted to “Add features required by IIS 6 Scripting Tools”.
Click “Add Features”.

18. Select “Next” to proceed to the next screen.

Page 16
Data Governance Suite
 Varonis Training Lab

19. When installing .NET Framework 3.5, you may not be able to install it without the Windows Server installation
media. Click “Specify an alternate source path”.

20. For the purposes of this lab, the Windows Server 2019 media is located in the Downloads folder. Use Windows
Explorer to navigate to the user’s Downloads folder and right click on the ISO to mount it on the machine.

Page 17
Data Governance Suite
 Varonis Training Lab

21. In the “Specify Alternate Source Path” window, type “E:\sources\sxs” (“E:\” because that is the drive letter of
where the ISO is mounted) into the “Path” textbox and then click “OK”. If you do not specify an alternate path,
the roles and features will not be installed.

22. Click “Install”.

Note: .NET Framework 4.7.2 is also required on the DSP server. In later versions of Windows Server (2016+)
this framework should already be installed, but if not, you will need to download the installer separately and
install it as well.

Page 18
Data Governance Suite
 Varonis Training Lab

23. Verify that the Installation completes successfully. In some cases, a restart may be required to finish installing
the features. Click “Close” to close the window and then proceed to restart the machine to complete
installation.

Note: Please wait ~3 minutes for the machine to restart before reconnecting.

24. Next, we will install the Java Runtime Environment (JRE) onto the DSP. The installer can be found in the
Downloads folder.

Note: Only Version 8 of the JRE/JDK is supported in Varonis.

Page 19
Data Governance Suite
 Varonis Training Lab

25. Run the JRE installer (“amazon-corretto-8.312.07.1-windows-x64-jdk.msi”) by double clicking on the installer on
the desktop and then clicking “Run” on the popup window.

26. Click “Next”.

27. Click “Next”.

Page 20
Data Governance Suite
 Varonis Training Lab

28. Click “Install”.

29. Click “Finish” to complete the installation.

Page 21
Data Governance Suite
 Varonis Training Lab

Lab 3: Install Microsoft SQL Server 2019 on the DSP

Overview: The goal of this lab is to successfully install Microsoft SQL Server 2019 on the DSP. SQL can be installed
remotely on a different server or locally on the DSP. In a production environment, installing SQL on the same server as
the DSP is not recommended. This is only recommended for evaluations of the software.

1. On HUB-DSP, click the “File Explorer” icon on the taskbar.

2. Open the Downloads folder and right click on the SQL Server 2019 ISO to mount it on the machine.

3. Double click “setup.exe” to start the SQL Installer.

Page 22
Data Governance Suite
 Varonis Training Lab

4. Click “Installation” and then click “New SQL Server stand-alone Installation or add features to an existing
installation”.

5. Click “Next” to install SQL Server 2019 using an evaluation product key.

Page 23
Data Governance Suite
 Varonis Training Lab

6. Accept the license terms by clicking the checkbox, and then click “Next”.

7. Click “Next” at the Microsoft Update page.

Page 24
Data Governance Suite
 Varonis Training Lab

8. The setup files will install automatically. This should only take a minute or two to complete.

9. Select “Database Engine”. Change “C” to “D” in “Instance Root Directory, Shared Feature Directory and Shared
Feature Directory (x86)”. Click “Next”.
Note: It is best practice to install SQL on a drive other than “C”. However, the “D” drive on this lab is wiped
daily. If you intend to work on this lab over the course of several days, please install it on “C” to avoid SQL
being removed (thus, breaking the installation), otherwise proceed with installing SQL on “D”.

Note: Different versions of SQL include different components in the installer. SQL 2014 includes both the
Management Studio and Reporting Services. If you were installing SQL 2014 in a production environment, you
would need to check those options here. In SQL 2016, the Management Studio is removed and needs to be
installed separately. In SQL 2017 and 2019, both the Management Studio and Reporting Services have been
removed from the feature selection screen and need to be installed separately.
Page 25
Data Governance Suite
 Varonis Training Lab

10. Click “Next” to accept the default instance configuration.

11. For “Startup Type”, select “Automatic” for the top two services and then click “Collation”.

Note: If SQL is being installed on a remote server, make sure the “Startup Type” for “SQL Server Browser” is
set to “Automatic” as well. This is not needed if DSP and SQL are on the same server.
Page 26
Data Governance Suite
 Varonis Training Lab

12. Ensure that the Collation is set to “SQL_Latin_1_General_CP1_CI_AS”. Once verified, click “Next”.

Page 27
Data Governance Suite
 Varonis Training Lab

13. Pick “Mixed Mode” security and enter/confirm the password “p@ssword1”. Click “Add Current User” so that a
windows account can be used in addition to the “sa” account. Performing this step will automatically provide this
login with the SQL “sysadmin” role that is required to make changes to the database. Click “Next”.

Note: In some cases, customers will decline to use Mixed Mode authentication. DatAdvantage supports using
Windows Authentication mode only without enabling Mixed Mode. Using only Windows Authentication
Mode requires additional changes to be made when installing DatAdvantage. These changes will be noted
later in the guide.

Page 28
Data Governance Suite
 Varonis Training Lab

14. Click “Install”.

15. SQL should take 5-10 minutes to install. The SQL installation will indicate that it has completed successfully and a
restart is required. Click “OK”. Click “Close” and then return to the main installation screen. Close the remaining
windows and restart the server.

Note: Please wait ~3 minutes for the machine to restart before reconnecting.

Page 29
Data Governance Suite
 Varonis Training Lab

16. Repeat the previous steps to mount the SQL Server 2019 ISO. Return to the SQL installer and click “Install SQL
Server Reporting Services” under “Installation”.

17. Click “SQL Server 2019 Reporting Services” then click “Download”.

Note: 2022 has replaced 2019, but we must use SSRS 2019. You can download that here
https://www.microsoft.com/en-us/download/details.aspx?id=100122.

Page 30
Data Governance Suite
 Varonis Training Lab

18. Once the download finishes, open the installer in the bottom-left corner by clicking on it.

19. Click “Run”.

Page 31
Data Governance Suite
 Varonis Training Lab

20. Click “Install Reporting Services”.

21. Click “Next”. In a customer environment, make sure a product key is entered on this page if this is a production
install.

Page 32
Data Governance Suite
 Varonis Training Lab

22. Accept the license terms and click “Next”.

23. Click “Next”.

Page 33
Data Governance Suite
 Varonis Training Lab

24. Click “Install”.

25. The install should take between 1-3 minutes. Click “Configure report server”.

Page 34
Data Governance Suite
 Varonis Training Lab

26. Click “Connect”.

27. Click “Web Service URL” on the left-hand side and click “Apply”.

Page 35
Data Governance Suite
 Varonis Training Lab

28. Once configuration has finished, click “Database” on the left-hand side and click “Change Database”.

29. Select “Create a new report server database” and click “Next”.

Page 36
Data Governance Suite
 Varonis Training Lab

30. Click “Next”.

31. Click “Next”.

Page 37
Data Governance Suite
 Varonis Training Lab

32. Click “Next”.

33. The database will be configured. Once done, click “Finish”.

Page 38
Data Governance Suite
 Varonis Training Lab

34. Click “Web Portal URL” on the left-hand side and click “Apply”.

35. Click “Exit” to complete the configuration of SSRS.

Page 39
Data Governance Suite
 Varonis Training Lab

36. Return to the installer and click “Install SQL Server Management Tools”.

37. Scroll down until you see a download link for “SSMS 18.x”. Click the download link.
Page 40
Data Governance Suite
 Varonis Training Lab

38. Click on the download in the bottom-left corner to open it.

39. Click “Run”.

Page 41
Data Governance Suite
 Varonis Training Lab

40. Click “Install”.

41. SSMS will take between 5-10 minutes to install. Once installed, click “Restart” to complete the installation.

Note: Please wait ~3 minutes for the machine to restart before reconnecting.

Page 42
Data Governance Suite
 Varonis Training Lab

42. The last step to complete the SQL Server 2019 installation is to install the latest service package. In the
“Downloads” folder, click on the file “SQLServer2019-KB5007182-x64.exe”. Click “Run” when the security
warning popup appears.

43. Click the box to accept the terms and conditions then click “Next”.

Page 43
Data Governance Suite
 Varonis Training Lab

44. Click “Next”.

45. Wait for the “Checking Files” job to complete then click “Next”. If a process is running, you will have to restart
once the update is complete (as seen in the screenshot).

Page 44
Data Governance Suite
 Varonis Training Lab

46. Click “Update”.

47. Once completed, you will get a notification that you must restart the server to complete the installation. Click
“OK” to close the window. Click “Close” and restart the server to finish installing the SQL Server update.

Note: Please wait ~3 minutes for the machine to restart before reconnecting.
Page 45
Data Governance Suite
 Varonis Training Lab

Lab 4: Post SQL Server Configuration and Validation

Overview: In this lab, we validate that all protocols and ports have been correctly configured during the installation of
SQL Server 2019. The use of the tools and techniques in this lab aid in ensuring a target system is thoroughly prepared
for the installation of DA.

1. On the HUB-DSP Server, launch the SQL Server Configuration Manager by clicking “Start”, then typing
“configuration” and clicking on “SQL Server 2019 Configuration Manager”.

2. Click on “SQL Server Services” on the left-hand pane. Verify that “SQL Server” and “SQL Server Agent” are
configured and running. If the state of any of those services is not “Running”, the service should be started by
right-clicking on the service and selecting “Start”.

Page 46
Data Governance Suite
 Varonis Training Lab

3. Open Chrome from the taskbar and navigate to http://localhost/reports to verify that the SQL Reporting Page
Displays correctly. This page may take a few moments to load.

Page 47
Data Governance Suite
 Varonis Training Lab

Lab 5: Install Varonis DatAdvantage and DataPrivilege on HUB-DSP

Overview: The goal of this lab is to install the Varonis DatAdvantage and DataPrivilege server components, commonly
known as the DSP. The DA and DP server components include Databases, Tables, SQL Stored Procedures and the
connectivity between the Active Directory Server and the DSP.

1. On HUB-DSP, navigate to the Downloads folder and double-click “setup.exe” within the “Installer” directory.

Note: It may take some time to extract the installer.

2. Click “Run”.

Page 48
Data Governance Suite
 Varonis Training Lab

3. After the installer finishes extracting, the “Welcome” screen will pop up. Click “Next”.

4. The “License Agreement” window will appear. This license agreement should be completely read before toggling
the radio button. If you do not agree to the terms of the license agreement, the “Next” button will remain
grayed out and installation cannot proceed. To accept the agreement and continue with the installation, select
“I Agree”, then click “Next”.

Note: The “Varonis Setup Wizard’ manages the installation of the DSP, but it also is used to manage the
addition and removal of all available features of DA and DP. You can also use the installation package to
manage the DA and DP license registration and to maintain the database passwords.

Page 49
Data Governance Suite
 Varonis Training Lab

5. Select “Install” and then click “Next”.

6. Select all the available features and then click “Next”.

Page 50
Data Governance Suite
 Varonis Training Lab

7. We need to configure the DSP working share. Navigate to “C:\” on the DSP, right click and create a new folder
called “Working Share - DSP”. Right click on the folder and click on “Properties”.

8. Right click on the “Working Share - DSP” folder and click on “Properties”. In the window that pops up, click the
“Sharing” tab and click on “Advanced Sharing…”. In the “Advanced Sharing” window that pops up, check the
“Share this folder” box and then click on the “Permissions” button at the bottom to bring up the “Permissions
for Working Share - DSP” window.

Page 51
Data Governance Suite
 Varonis Training Lab

9. Click “Everyone” and give the group “Full Control” permissions on the share. Click “OK” to save the changes. We
are using more restrictive NTFS permissions for this folder which is why we share the folder with “Everyone” in
this step.

10. After setting the shared (“Sharing” tab) permissions, adjust the NTFS permissions (“Security” tab) so that the
service account “svcvaronis” and “SYSTEM” also have full NTFS folder permissions (if you do not see either
account on the list, click the “Edit…” button, then the “Add…” button on the following window and search for
the account that needs to be added). Remove the “Users” group as well once finished.

Note: You may need to disable inheritence on the folder in order to remove the “Users” group from the
permissions list.

Page 52
Data Governance Suite
 Varonis Training Lab

11. Repeat steps 7 - 11 for another share named “Working Share – DLS”. This share will be used for the DatAlert
Analytics portion of the software.

12. Return to the “Varonis Setup Wizard”, click the ellipses next to “Working Share” and select the “Working Share –
DSP” folder and click “OK”. For the “Username” and “Password” section we will use the Varonis service account,
for this lab it will be “vrnslab\svcvaronis” and the password is “p@ssword1”.

Note: Starting in 8.5.34, the Varonis service account should be used for the Working Share credentials. Some
Varonis services run under the service account specified in this section and using anything other than the
Varonis service account could lead to issues. This account must be a local administrator on the DSP server.

Page 53
Data Governance Suite
 Varonis Training Lab

13. In the “DSP Server Database Installation” section, provide the hostname of the server on which the Varonis
databases will be installed. You can do so by either:
• Manually typing the name of the server into the textbox next to “Database Server”
• Clicking on the ellipses button next to the “Database Server” textbox and selecting the correct host from
a list of available servers. Please note this option will only work if the computer browser service is
running.
NOTE: For this lab, it is not necessary to change this as SQL is located on the DSP. When you are
using a remote SQL instance, you will need to change the server, as well as the database location
if you are not using the default instance.

14. Enter “sa” for the username and “p@ssword1” for the password and then click “Next”.

Note: If you have previously configured SQL to work only in Windows Authentication mode, you must click
“Application Account” on this screen and modify the user. By default, the installer uses “SQL Authentication”
and creates the user “VaronisOwner”. You need to change the Authentication to “Windows Authentication”
and then select a Windows account with local admin privileges on the DSP to use with Varonis to manage
service and database operations. It is best to have a dedicated account for this such as “svc_varonis_sql”,
separate from the service account already in use.

Page 54
Data Governance Suite
 Varonis Training Lab

15. The next window to appear asks the user to enter the license information for DA and DP. There are two methods
for validating the license information: “Automatic Registration” and “Manual Registration”.
• For “Automatic Registration”, the DSP must have internet access with no proxies or restrictions on
access to: http://support.varonis.com
• “Manual Registration” should only be used when there is no active internet connection on the DSP
server.

16. Choose “Automatic”. Fill in each of the fields from the information specified below, and then click the “Register”
button.
• The license information is as followed:
i. Customer Email: [email protected]
ii. Serial Number: 80f9-0732-0380-e9ae

Note: When copying and pasting license field information, ensure that no white space or blank characters are
inserted into the fields. These are included in the license key calculation and may result in an error message.

Page 55
Data Governance Suite
 Varonis Training Lab

17. If registration has completed successfully, details of the license appear in the bottom panel. Details include
modules covered and which Varonis products are included in the license. Click on the “Next” button.

18. For the purposes of this lab, ensure the “Probe service and database configuration is same as DSP” box is
checked so that the DSP and Probe will be installed on the same server. Click “Next”.

Page 56
Data Governance Suite
 Varonis Training Lab

19. The next screen provides the ability to configure the DatAdvantage Web Application. It is possible to choose
where the web server is hosted, however for the purpose of this lab, keep the default configuration. You also
can change the retention period of how many days Solr will retain event data. Confirm the settings and then
select the “Next” button.

20. Before moving forward, we will configure the “HUB-SOLR” machine so it can host these services. We will be
installing the Java Development Kit (JDK) on it. You also need to install .Net Framework 4.7.2, however in the lab
we are running Windows Server 2019 on the Solr server, which already comes preinstalled with the necessary
.Net Framework.

21. Connect to the “HUB-SOLR” machine, browse to the “Downloads” folder through Windows Explorer and run the
JDK installer.

Page 57
Data Governance Suite
 Varonis Training Lab

22. Click “Run”.

23. Click “Next”.

24. Click “Next”.

Page 58
Data Governance Suite
 Varonis Training Lab

25. Click “Install”.

26. Once completed, click “Finish” to exit the JDK installer.

27. Return to the DSP Server. Back on the DSP, we will now configure the Solr and Zookeeper host. Click the “Add”
button to choose where to install Solr and Zookeeper. It is recommended to keep Solr and Zookeeper together.
In production, it is recommended to have a designated machine for hosting Solr and Zookeeper.

Page 59
Data Governance Suite
 Varonis Training Lab

28. Change the server location to “HUB-SOLR”. The deployment credentials must have local administrative privileges
on the designated server. For this lab, use the “vrnslab\itadmin” account as the username and “p@ssword1” as
the password for both. Click “Add”.

29. There are two entries in the configuration window, one for “Solr” and one for “Zookeeper”. Verify these settings
are correct and click “Next”.

Page 60
Data Governance Suite
 Varonis Training Lab

30. Next, we need to configure the install for the “DatAlert Analytics” component. Under Installation Credentials, fill
in”VRNSLAB\itadmin” as the username and “p@ssword1” as the password. Click on the ellipsis next to “Working
share” and select the “Working Share – DLS” folder that we created earlier. Change the username under
“Working Share Settings” to “VRNSLAB\svcvaronis”. The password is the same for this account. Click “Next”.

Note: Starting in 8.5.34, the Varonis service account should be used for the Working Share credentials. Some
Varonis services run under the service account specified in this section and using anything other than the
Varonis service account could lead to issues. You can use any account that has the proper permissions for the
Installation Credentials, but the Working Share Settings should always be linked to the Varonis service
account.

Page 61
Data Governance Suite
 Varonis Training Lab

31. Next, configure the automatic updates for the system. For the purpose of this lab, uncheck “Enable live update”.
This is an opt-in option for how customers want to receive updates. It is highly recommended that customers
enable this option. Click “Next”.

32. Next, configure user feedback. For the purpose of this lab, uncheck “I agree to have users send feedback in
accordance with the Varonis Privacy Policy”. This is an opt-in option for customers which enables them to give
user feedback. Click “Next”.

Page 62
Data Governance Suite
 Varonis Training Lab

33. For the purpose of this lab, uncheck “I agree to participate in log data collection in accordance with the Varonis
Privacy Policy”. This is an opt-in option for customers which enables the automatic collection and delivery of
Metadata Framework logs to Varonis in an effort to improve our software and provide Varonis Support/Sales
with direct insight into issues with cutomser environments. It is highly recommended that customers enable
this option. Click “Next”.

34. Enter “VRNSLAB\itadmin” as the username and “p@ssword1” as the password for the installation credentials.
Click “Next”.

Page 63
Data Governance Suite
 Varonis Training Lab

35. The following window summarizes the products that will be installed and checks to ensure all prerequisites have
been fulfilled for the installation. Click “Next”.

36. Several warnings will appear. Click “View Details” to see them all in one pane. One says SQL Server is configured
to use all the memory of the hosting OS. It is recommended in a production environment to change this setting
in SQL to 70% of the RAM available on the machine to avoid using all of the RAM for SQL (irrelevant if SQL is
on a dedicated machine). There are also warnings that the DSP specs do not meet minimum requirements. This
is normal for the lab, but for production environments please consult with Varonis professional services for
sizing. Click “OK”.

Page 64
Data Governance Suite
 Varonis Training Lab

37. Click “Ignore & Continue”.

38. Click “Install”. The installation of the Varonis software will begin.

Page 65
Data Governance Suite
 Varonis Training Lab

39. Upon completion, the following screen will appear. Click “Next”.

We need to configure the mail settings on this page. Enter [email protected] in the “From:” text box. Enter
[email protected] in the “To:” text box. Enter “mail.vrnslab.se” in the “SMTP Server” text box. Click
“Next”.

Page 66
Data Governance Suite
 Varonis Training Lab

40. We will now provide an Active Directory user account that has at least standard domain user access to the
domain. Use the service account “vrnslab\svcvaronis”. Note, Domain Admin rights are not required, only
Domain User rights. This account will be used to pull all users and groups from the specified domain. On the
“Domain Trusts” screen, click on the domain name and then click “Edit”.

41. This will bring up the “Domain Properties” window, which is used to configure the credentials for each AD, LDAP,
and NIS domain that will be monitored. Click the ellipses next to the Username field.

Page 67
Data Governance Suite
 Varonis Training Lab

42. Type “svcvaronis” into the dialog box that opens, and then click “Check Names” followed by “OK”.

43. Enter “p@ssword1” in the Password field, then click “Save”. The “Domain Properties” windows will close and
you will return to the “Domain Trusts” screen.

Page 68
Data Governance Suite
 Varonis Training Lab

44. You will see a progress bar. Once it has reached 100%, click “Next”.

45. Here we can configure Collectors. Collectors are used in distributed installations of DatAdvantage for the
purpose of improving performance and avoiding latency issues with servers located in different locations. We
will not be adding a collector at this time. Click “Next”.

Page 69
Data Governance Suite
 Varonis Training Lab

46. The “Monitored File Servers” screen is displayed. This screen is used to configure the file servers that will be
monitored by DatAdvantage. Click the “Add” button on the “Resources” menu bar.

47. When the “File Server Wizard” window opens, type “HUB-DSP” in the “Resource/Server Name” field. We will
use the service account to run the FileWalk. Enter “VRNSLAB\svcvaronis” and “p@ssword1”. Note, this account
must be a member of both the local Backup Operators and Power Users groups on the file server being
monitored. Click “Detect resource type”. The server will detect as Windows automatically. Click “Agent
Deployment”.

Note: For this lab, the server we will be monitoring is the DSP itself. This would not be appropriate if the
installation occurred for a customer, but is appropriate for educating engineers on the DA installation process.
Page 70
Data Governance Suite
 Varonis Training Lab

48. Uncheck “Use FileWalk credentials for agent installation”. In most production environments, the customer will
not allow you grant the service account as a local admin on the resource you are monitoring (unless absolutely
required). To install the agent, you will use the customer’s admin account (VRNSLAB\itadmin) to install the agent
on the file server. This account must have local administrator rights on the server being added. Enter the
itadmin account credentials from the previous section and click “OK”.

49. Click “Shares” on the left-hand side. Here you can review the shares that you would like DatAdvantage to
monitor. For this lab, we will leave everything unchanged. Click “Configuration” on the left-hand side.

Page 71
Data Governance Suite
 Varonis Training Lab

50. Review the options presented in the “Configuration” tab. Here you can specify the shadow database installation,
SQL host server credentials, FileWalk settings and event collection parameters. For this lab we will leave
everything unchanged. Click “Install”.

51. A warning will popup notifying you on how to enrich events collected on this resource with IP address
information. Click “OK”.

Page 72
Data Governance Suite
 Varonis Training Lab

52. A new window will open, checking the prerequisites.

53. Once the prerequisite check completes, you will be back in the “Monitored File Servers” window where you will
see a progress bar complete, as the server is installed. Once it reaches 100%, click “Next”.

Page 73
Data Governance Suite
 Varonis Training Lab

54. In the “Installation Complete” Window, click “Finish”. The “Show Error Log” line should be grayed out indicating
that the installation was completed successfully.

You have completed the instllation of DatAdvantage and DataPrivilege.

Page 74
Data Governance Suite
 Varonis Training Lab

Lab 6: DatAdvantage Post Setup Configuration & Initial FileWalk

Overview: The goal of this lab is to access the Management Console for the first time and configure Privileged Account
Discovery. We’ll also run an initial FileWalk on HUB-DSP and confirm that data is being collected from the file server.

1. Open the Varonis Management console on the desktop.

2. You will receive a message that the server failed to connect. Click “OK”.

Page 75
Data Governance Suite
 Varonis Training Lab

3. Click “Servers…”.

4. Select the current server “hub-idu” and click “Remove”. Once removed, click “Add”.

5. The Server Information screen will open. In the textbox next to “DSP Server address”, type “localhost” then select
“OK”.

6. Click “Close” on the “DSP Server Editor” screen.

Page 76
Data Governance Suite
 Varonis Training Lab

7. Back in the “DSP Server Selection” window, the “Server Selection List” will populate. Click “Connect”.

8. Once the Management Console is open, you will see a list of all the different jobs that can be run. You will be
running the “ADWalk”, “FileWalk HUB-DSP”, “Pull AD”, and “Pull Walks :: Processing” (in that order).

Page 77
Data Governance Suite
 Varonis Training Lab

9. Right-click the “ADWalk” job and select “Run Job”.

10. The following screen will be displayed showing the progress.

11. The DatAdvantage ADWalk job will start and will pull all of the Users, Groups and Extended attributes from AD.
The ADWalk job should complete in about three to five seconds in this Lab. In a customer environment this job
will take a lot longer, in some cases as long as 30 minutes to a few hours depending on how many users and
groups there are. There is no limit to how many AD users a single DSP domain can support. After the job is done,
you will see a check mark next to “Last Run Status”.

Page 78
Data Governance Suite
 Varonis Training Lab

12. Right-click the “FileWalk HUB-DSP” job and select “Run Job”. The FileWalk job will begin and will pull the
directory and file system permissions from the file server, in this case the file server is the HUB-DSP server itself.
In this lab, the FileWalk job will take at most a few minutes. The FileWalk will take as long as one hour to a day
to poll large, multi-terabyte servers at customer locations. After the job is done, you will see a check mark next
to “Last Run Status”.

Note: This job should not be run in a production environment during daytime hours unless necessary. It
causes additional load on the network and file server that can cause interruptions for the business.

13. Next, right-click the “Pull AD” job and select “Run Job”. After the job is done, you will see a check mark next to
“Last Run Status”.

14. Finally, right-click the “Pull Walks :: Processing” and select “Run Job”. This will also auto kick off the “Pull Walks ::
Publishing” job.

After running the above Management Console jobs, the next step is to setup Privileged Account Discovery. This
configuration will enable DatAdvantage to automatically discover accounts that belong to special usage
categories. Special usage categories include:

- Service Accounts: Accounts used to run services.

- Admin Accounts: Accounts used by administrators. These usually have higher privileges than regular users.
- Executive Accounts: Accounts used by company executives.

Once accounts are discovered, data regarding these accounts can be used in DatAlert and a variety of
DatAdvantage reports.
Page 79
Data Governance Suite
 Varonis Training Lab

15. For DatAdvantage to properly identify Executive Accounts, the user account for a top manager in the
organization (ex: CEO) needs to be defined within the Management Console. Click on “Configuration” located in
the bottom left corner of the Management Console window.

16. Click “Privileged Account Discovery” to display the Privileged Account Discovery screen.

Page 80
Data Governance Suite
 Varonis Training Lab

17. On the Privileged Account Discovery screen, locate the “Executive Accounts” section and click on the ellipses
button next to the Username field.

18. The “Directory Services Search” box will be displayed. Use this to select the top manager in the organization. For
the purpose of this lab, Allen Carey has been identified as the top manager. Enter “Allen” in the Search box and
select the “Search” button. This will populate the Search Results section. Once populated, click the “Add” button
to move Allen to the Selected User or Group section.

Page 81
Data Governance Suite
 Varonis Training Lab

19. Hit the “OK” button to accept and close this window.

20. On the Privileged Account Discovery screen, click the “Save” icon. Privileged Account Discovery has now been
configured. You may now close the Management Console.

Page 82
Data Governance Suite
 Varonis Training Lab

21. On the Desktop, open the DatAdvantage GUI which has been automatically installed as a part of the DSP
installation. Please note that the GUI can be installed as a standalone application on any Windows machine.

Note: In order to be able to open the DatAdvantage GUI, a Windows account that has been given a valid role
within DA must be used. By default, the account used for the installation is granted sufficient rights.

22. The DatAdvantage GUI will open. The HUB-DSP server should appear in the GUI. This is one of the indications
that DatAdvantage has been successfully installed. If it does not, click the down arrow next to Resources, and
place a check next to HUB-DSP in order to display it within the “Directories” pane.

23. Check to ensure that user and group information is being pulled from Active Directory by clicking the “Reload”
button located in the “Recommeded Users and Groups” pane on the right hand side.

Page 83
Data Governance Suite
 Varonis Training Lab

24. The next step is to validate the sucessful installation of the Varonis Web UI. Click on “Tools” located on the menu
bar of DatAdvantage and click on “Varonis Web Interface…”.

25. Click “Advanced” then click “Proceed to <site>” (“Continue to this website (not recommended)” in Internet
Explorer). This error occurs because the dashboard uses a self-signed certificate when it is installed.

Page 84
Data Governance Suite
 Varonis Training Lab

26. A user account that has access to the web interface needs to be entered into the dialog box. The installation user
automatically is provisioned access. Type “vrnslab\itadmin” for the username and “p@ssword1” for the
password. Click “Sign in”.

27. The DatAlert dashboard will be presented and the following message will be displayed: “No data was found for
this scope”. This indicates sucessful installation of the DatAlert web dashboard. This message is normal as there is
no data to report on. However, in a production install, alerts that trigger against DatAlert threat models will be
displayed here.

Page 85
Data Governance Suite
 Varonis Training Lab

Lab 7: Preparing the HUB-COLLECTOR machine to be a Varonis DatAdvantage Collector

Overview: The goal of this lab is to give the engineer an understanding of a distributed DatAdvantage installation by
installing an additional Varonis DatAdvantage Collector. The “probe” can be thought of as the “initial collector” and is
installed on the DSP by default (they are similar, but not the same). This additional collector will be used in the lab to
collect data from a second file server (HUB-FILER). Customers can use a distributed environment to scale their
DatAdvantage installation to support hundreds of servers. The advantage of using a collector over an additional probe is
that an instance of SQL is not required for a collector.

1. On your computer, return to your browser and open up a remote session to the VM named “collector***”.

2. .Net Framework 3.5 and Message Queing are required on this machine. On the taskbar, click on the “Server
Manager” icon.

3. Click “Add roles and features”.

Page 86
Data Governance Suite
 Varonis Training Lab

4. Click on “Server Selection”.

5. Click on “Features”.

Page 87
Data Governance Suite
 Varonis Training Lab

6. Click on the arrow to expand “.Net Framework 3.5 Features” and check off “.Net Framework 3.5 (includes
.NET 2.0 and 3.0)”. Message Queuing is also required. Click “Next”.

7. As mentioned earlier, when installing on Windows Server 2012 R2 and up, in some environments you will
need to install the “.NET Framework 3.5” features from the Windows Server installation media. For the
purposes of this lab, the Windows Server 2019 media is located in the “Downloads” folder. Mount the
Windows Server 2019 ISO.

Page 88
Data Governance Suite
 Varonis Training Lab

8. We can see in file explorer that the ISO has been mounted on drive E:.

9. Once the ISO is mounted, return to the “Add Roles and Features Wizard” window and click “Specify an
alternate source path”.

Page 89
Data Governance Suite
 Varonis Training Lab

10. In the “Specify Alternate Source Path” window, type “E:\sources\sxs” (“E:\” because that is the drive letter
of where the ISO is mounted) into the “Path” textbox and then click “OK”. If you do not specify an alternate
path, the roles and features will not be installed.

11. Click “Install” and then click “Close” once the installation completes.

Note: .NET 4.7.2 is also required to be installed on collector, however Server 2019 comes with this
preinstalled so for this lab, we don’t need to install anything else.

Page 90
Data Governance Suite
 Varonis Training Lab

12. Next, we will work on creating the Collector’s working share. Open Windows File Explorer via the taskbar.

13. Double click on the “C:” Drive.

14. Right click in the window then click “New”→”Folder”.

Page 91
Data Governance Suite
 Varonis Training Lab

15. Rename the folder to “Working Share”.

16. Right click on the “Working Share” folder and click on “Properties”. In the window that pops up (“Working
Share Properties”), head into the “Sharing” tab and click on “Advanced Sharing…” in the “Advanced Sharing”
section. In the “Advanced Sharing” window that pops up, check the box that says, “Share this folder” and
then click on the “Permissions” button at the bottom to bring up the “Permissions for Working Share”
window.

Page 92
Data Governance Suite
 Varonis Training Lab

17. Give the “Everyone” group “Full Control” and click “OK.”

18. After setting the shared (“Sharing” tab) permissions, we’ll adjust the NTFS permissions (“Security” tab) to
make sure the service account and “SYSTEM” have full permisisons on the NTFS side (if you do not see either
account on the list, click the “Edit…” button, then the “Add…” button on the following window and search
for the account that needs to be added).

Note: In production, it is best to remove unncessary user groups from the NTFS permissions like the
“Users” group.

This server is now ready to be added as a Varonis DatAdvantage Collector.

Page 93
Data Governance Suite
 Varonis Training Lab

Lab 8: How to add a Varonis DatAdvantage Collector from HUB-DSP

Overview: In distributed installations or installations with a very large number of servers, it is often necessary to install
another probe or collector to communicate with the file servers. The collector serves the same functionality as the
probe but does not require SQL to be installed locally. DatAdvantage, in general, handles 50 servers per probe/collector,
but a maximum of 100 can be added to each probe/collector with approval after Varonis Professional Services performs
sizing. There is, however, no limit to the number of probes per DSP server.

1. On HUB-DSP, double-click “Varonis Management Console” on the desktop if it is not still open from the previous
lab.

2. Click on “Collectors” in the left-hand side of the window.

Page 94
Data Governance Suite
 Varonis Training Lab

3. Click the “+” icon to add a new Collector.

4. Next to “Server”, type in the hostname of the collector machine. For this lab, the collector is named “HUB-
COLL”. Next, fill in the working share credentials, for this lab, we’ll be using the “vrnslab\svcvaronis” account and
“p@ssword1” for the password. Lastly, we’ll click on the ellipses next to “Working Share” and select the working
share we created earlier on the collector. The service account is a local admin on the Collector which is why we
aren’t modifying the “Host Server Access Credentials” section. Click “Install”.

Page 95
Data Governance Suite
 Varonis Training Lab

5. You will see the application check for the “Prerequisites” on the server. Click “Continue” to proceed through the
TLS 1.2 warning.

6. You will then see a progress bar while the collector is being installed. Once it is finished, it will show as 100%. If
you get an error on the first install mentioning that RabbitMQ is not installed, please just click the retry
button and it should complete to 100% on the second install.

7. We will now examine the folder structure created during the collector’s installation. Return to HUB-COLL and
open the file explorer, navigate to the “C:” drive and double click the “Working Share” folder that was created in
the previous Lab.

Page 96
Data Governance Suite
 Varonis Training Lab

8. During the installation, the following folders were created:

9. The diagram below shows the flow of events from the collector to the DSP using the VSB (Varonis Service Bus:
RabbitMQ Workflow).

Page 97
Data Governance Suite
 Varonis Training Lab

10. You also see the working directory structure of the Collector under “VaronisWorkingDirectoryCollector”. The
directory structure on the Collector mirrors the structure on the Probe server.

11. The following diagram demonstrates the flow of data from the fileserver to the collector, then flow of data on
the collector, and, finally, the flow of data from the collector to the probe.

Incoming Data (Fileserver -> Collector):

All incoming data from the File Servers are placed in a Workspace Folder – this is output folder of applications (DTE,
FW, DCE).

Outgoing Data (Collector -> Probe):

Successful data flow: Workspace Folder-> Publish Folder-> OutBox Folder -> Sent Folder
• Workspace – as indicated above.
• Publish – DCE, FW, etc data files that is ready for transferring. This data is already compressed.
• OutBox – DCE, FW, etc data files that is currently transferring
• OutBox\Retry – DCE, FW, etc data files that at the first attempt failed to transfer
• Sent – DCE, FW, etc data files that succeeded to transfer
• Sent\Failed - DCE, FW, etc data files that at the second attempt failed to transfer,

Incoming Data (On the Probe):

Data flow: Inbox -> Processing
• Inbox – contains received files,
• Processing – this is the working folder for applications, unzipping and processing files received from collectors.
• Processing\Failed – files that failed on processing. Covered by retention policy.

You have now installed a Varonis DatAdvantage Collector on the HUB-COLL server.

Page 98
Data Governance Suite
 Varonis Training Lab

Lab 9: Configuring DatAdvantage for Directory Services

Overview: The goal of this lab is to configure GPO polices to allow DatAdvantage to receive events from Directory
services. When making changes to the GPO it is important to set everything correctly or it can cause adverse reactions
from Exchange servers and other services.

1. Open a session to the HUB-DC server if it is not already open. Launch "Active Directory Users and Computers" by
clicking the icon on the taskbar.

2. When the “Active Directory Users and Computers” window pops up, click on “View” and make sure “Advanced
Features” is checked, then right click on the domain (“vrnslab.se”) and select “Properties”.

Page 99
Data Governance Suite
 Varonis Training Lab

3. Select the "Security" tab and click "Advanced".

4. Select the "Auditing" tab, then select the "Everyone" auditing entry (if there is more than one entry for “Everyone”
click on the first entry that says "Special" in the “Applies to” Column) and click "Edit". The "Auditing Entry for
vrnslab" dialog box will be displayed.

Note: If there is no such entry you must add it.

Page 100
Data Governance Suite
 Varonis Training Lab

5. Click on the drop-down menu next to the right of the word "Type" and select "All".

6. Click on the drop-down menu to the right of the words "Applies to:" and select "This object and all descendant
objects".

Page 101
Data Governance Suite
 Varonis Training Lab

7. Edit the permissions to give the “Everyone” group the Full Control permission on all objects.

8. Next, remove the “List contents”, “Read all properties” and “Read permissions” to reduce the number of events
recorded in the event log, then click “OK”.

Page 102
Data Governance Suite
 Varonis Training Lab

9. Scroll to the bottom and make sure the “Apply these auditing settings to objects and/or containers within this
container” check box is unchecked.

10. Click "OK” to close the "Advanced Security Settings for vrnslab" window. Close the “Properties” window as well.

Page 103
Data Governance Suite
 Varonis Training Lab

11. In order to give the Varonis service account the ability to track GPO changes without giving it domain admin
privileges, we need to delegate some control to it. Open “Active Directory Users and Computers”, right click the
domain and click “Delegate Control”.

12. In the “Delegation of Control Wizard”, click “Next” on the initial screen, add the Varonis service account under
“Selected users and groups” and then click “Next”.

Page 104
Data Governance Suite
 Varonis Training Lab

13. In the next window, tick the boxes for “Read all user information” and “Mange Group Policy Links” then hit “Next”
and “Finish”.

14. Open the Group Policy editor by clicking the icon on the taskbar.

Page 105
Data Governance Suite
 Varonis Training Lab

15. Navigate to “Forest”->“Domains”->“vrnslab.se”->“Group Policy Objects”, and right click on "Default Domain
Controllers Policy" and choose "Edit…".

Note: For this lab we’ll be editing the “Default Domain Controllers Policy”. For customer installs however, it may not
be this policy, the best way to figure out which policy to edit for each policy setting is to run “RSOP” in an elevated
command prompt on their domain controller and check the “Source GPO” for the policy that needs changing.

16. Expand the navigation tree “Computer Configuration”->“Policies”->“Windows Settings”->“Security Settings”->

“Local Policies” and select “Audit Policy”. The audit policies are displayed in the right pane.

Page 106
Data Governance Suite
 Varonis Training Lab

17. Double click "Audit account logon events".

18. Check the box next to "Define these policy settings". Success should be checked by default, if not, check it. Click on
the checkbox next to "Failure" and click "OK".

Page 107
Data Governance Suite
 Varonis Training Lab

19. Repeat steps 17 and 18 for the following policies, however set them to success only:
1. Audit account management
2. Audit directory service access
3. Audit logon events

Note: You can also turn on Advanced Auditing which enables more granular options for auditing DC’s. If Advanced
Auditing is turned on, they will override the default Audit Policy settings. You must either turn off Advanced
Auditing or configure the granular Advanced Auditing policies individually for Varonis to properly capture event
activity.

20. Close the window and open “Active Directory Users and Computers”. Navigate to “vrnslab.se > Builtin” and
double-click “Event Log Readers”.

Page 108
Data Governance Suite
 Varonis Training Lab

21. Click the “Members” tab and then click “Add…”. Enter the service account “svcvaronis” into the dialog box, click
“Check Names”, then click “OK”.

22. This will add the service account to the appropriate group needed to read the event logs on Domain Controllers.
Click “OK” to close the window.

Page 109
Data Governance Suite
 Varonis Training Lab

23. Once the configurations in the previous steps have been made, it’s important to verify that the changes have been
applied. To accomplish this, we’ll be opening an elevated PowerShell window on the domain controller and
running “gpupdate /force” and “RSOP” (Resultant Set of Policy). The generated window will show us which policies
are currently applying and which GPO those settings are coming from.

Page 110
Data Governance Suite
 Varonis Training Lab

24. To enable event collection from Active Directory, open the Varonis Management Console and go to “Root” →
“Domains” → Select the domain → “Edit”.

25. The “Domain Properties” window will open up. Click on the “Directory Services” tab and make the following
changes and then click “Domain Controllers”.

Page 111
Data Governance Suite
 Varonis Training Lab

26. The Domain Controller should already be populated and the box for “Events” should be checked. Click “Save”.

27. Once the progress bar reaches 100%, auditing for the selected domain controllers has been completed.

You have successfully configured Directory Service event collection.

Page 112
Data Governance Suite
 Varonis Training Lab

Lab 10: Performing a DatAdvantage Health Check

Overview: The goal of this lab is to determine if DatAdvantage is functioning properly after a new installation. This lab
will review the log messages, Management Console job status, event collection, permission collection and other
activities which contribute to a functioning DatAdvantage system.

Procedure: Review the following within the installation that you just performed. Note any issues that you find.

1. Determine if there are any issues with the installation by viewing the Varonis tab in the Windows Event Viewer.
a. Were any Warning events visible in the Windows Event Viewer for HUB-DSP or HUB-COLL
b. Did the probe connect properly to the HUB-DSP file servers?
c. Are there any indications that CIFS events are not being collected properly based on the
messages/warnings in the HUB-DSP file server?
2. Did the SQL jobs finish successfully?
a. In the Management Console, view the job history, steps and sub-steps— were there any failures on any
of the jobs?
3. Open the DatAdvantage GUI
a. Are there folders visible in the Work Area?
i. Do any grey folders or red symbols exist in the directory tree?
ii. There aren’t recommendations for removal from groups, but they will develop over time. In a
production installation this should be checked a week after the installation
b. Log
i. Make sure that events are showing up under Analytics in the Varonis Web Dashboard
ii. Within the Log area, select the Windows folder for HUB-DSP and log data should be visible. Keep
in mind that these labs may not have events since you have just freshly installed the software.
c. Go to Statistics
i. Is there any usage data available?
ii. Are there any probable service accounts to filter out?
iii. Is data available from all servers?
iv. Is there daily data for every day that DA is installed?
d. Reports
i. Generate a report. Is reporting services working properly?
ii. As an example, is the Group membership report working?

If each of the above items are checked, and no anomalies exist, the DatAdvantage installation was successful.

Page 113
Data Governance Suite
 Varonis Training Lab

Lab 11: Configure DataPrivilege for Basic Functionality

Overview: The goal of this lab is to configure DataPrivilege. During this lab, you will configure DP so that an ordinary
user can request access to a Finance folder. To do this, you will configure a data owner, base folder, and other options
necessary to create a real working DP installation. You will then provide an ordinary user with the ability to request
access to this Finance folder and authorize access using the Data Owner assigned to that folder. You will then confirm
within AD and the fileserver that the ACL and groups have been properly configured by DP.

DataPrivilege Terminology: Knowledge of the following terminology is necessary to complete this lab.

Term Definition
ACL Access control list. A list of permissions attached to an object. The
list specifies who or what is allowed to access the object and what
operations are allowed to be performed on the object. In a typical
ACL, each entry in the list specifies a subject and an operation: for
example, the entry (Alice, delete) on the ACL for file XYZ gives Alice
permission to delete file XYZ.
Authorization A rule that enforces an additional level of authorization, provided
rule that the user for whom the request is made meets certain criteria
defined by the rule.
Automatic rule A rule or a set of rules that enables automatic approval of data
access requests and group membership requests, provided that the
user for whom the request is made meets certain criteria defined by
the rule.
Base folder The root managed folder. A storage folder that is managed by one or
more data owners. Can only be defined by administrators. Contains
directories.
Base OU Base organization unit. The OU in which all of a domain’s entities are
created. See OU below.
Commit Host The name of the Commit engine defined for the file
server.
Note: For better performance, DataPrivilege enables the definition
of
multiple Commit engines. There is no limit to the number of commit
hosts that can be deployed.
Location A hierarchical tree representing a logical grouping of folders. Such
grouping may be geographical (such as US or EU) divisional (such as
ENG or ACC) or any other criteria.
Managed A folder that has been fully configured in DP to allow end–users to
folder request access to it, and includes a data owner and the necessary
permissions
Managed A defined group of users with the following conditions:
group ▪ An owner is defined for it
▪ At least one authorizer is defined for it

Page 114
Data Governance Suite
 Varonis Training Lab

Term Definition
OU Organizational unit. Organizational units are Active Directory
containers which can include users, groups, computers, and other
organizational units. They are often defined such that they mirror an
organization’s functional or business structure.
Roles Several roles are predefined in DataPrivilege:
▪ System Administrator
▪ Administrators
▪ Data Owners
▪ Data Authorizers
▪ Users
▪ Request Supervisor

Data Access Request Flow

The following figure illustrates the flow of data access requests when a person requests access via DP. An understanding of this is
required when using DP:

Page 115
Data Governance Suite
 Varonis Training Lab

1. Click on the “Active Directory Users and Computers” icon on the taskbar on HUB-DC.

2. Right-click on the domain “vrnslab.se” and select “New” then “Organizational Unit”.

Note: It is best practice to create a new Organization Unit when installing DP. All the new groups that get created
within DataPrivilege will go into a specified OU within the Management Console.

3. Name the new OU “Varonis”. This OU will be used by DP as stated above. Click “OK”.

Page 116
Data Governance Suite
 Varonis Training Lab

4. Upon returning to the “Users and Computers” screen, right-click on the “Varonis” OU and select “Delegate
Control”.

5. Within the “Delegation of Control Wizard” window, click “Next”.

6. You will now be adding the User Account that will be the Administrator of this new DP OU. The Administrator
account will be used to add locations and groups to the DP OU. Within the “Users and Groups” window, click
“Add…”.

Page 117
Data Governance Suite
 Varonis Training Lab

7. Select the svcvaronis service account as the account used to control the DP OU. You will need to click “Check
Names” to ensure that the svcvaronis account is properly configured.

8. Click “Next”.

9. Delegate the tasks as shown below and then click “Next”.

Page 118
Data Governance Suite
 Varonis Training Lab

10. Click “Finish”. This completes addition of the service account as the Delegated Controller of the Varonis OU.

11. DataPrivilege domain configuration is performed within the Varonis Management Console. Logon to the HUB-
DSP server and launch the Varonis Management Console by clicking the icon on the desktop.

12. Click on “Domains” located on the left-hand side of the Management Console window.

Page 119
Data Governance Suite
 Varonis Training Lab

13. Within Domains, highlight the “vrnslab.se” entry and select “Edit” from the top menu bar to launch the “Domain
Properties” window.

14. Select the “Commit” option from the left menu

Page 120
Data Governance Suite
 Varonis Training Lab

15. The “Domain Commit Credentials” section of this view provides the ability to specify the active directory account
that is used by DataPrivilege when making changes to the domain. For this lab, leave the default configuration.

16. Within the “Group OU” section, select the ellipses button next to the “OU” field to specify the default
organizational unit in which groups created by DataPrivilege will be located.

Page 121
Data Governance Suite
 Varonis Training Lab

17. Select the “Varonis” OU, which was created in the previous section, and click “Add”.

18. Hit “Save” to apply the changes made.

Page 122
Data Governance Suite
 Varonis Training Lab

19. The “vrnslab.se” domain entry within the Domains screen will process the update.

20. Once the progress bar reaches 100%, the changes have been applied.

21. Minimize the Varonis Management Console, launch the Chrome browser and navigate to the default
DataPrivilege web address http://localhost/dp. It may take several moments to load. Since DataPrivilege uses
Windows Authentication, you will automatically be logged in to DataPrivilege with the same Windows Account
that you are currently logged in as. For purposes of this lab we are using the “itadmin” account because only
administrators of DataPrivilege can see the administrative options.

Page 123
Data Governance Suite
 Varonis Training Lab

22. Within the left-hand pane, click “Administration” and then “Base Folders”. Select the “vrnslab.se” domain and
click on the “Add” button.

23. Within the “Add Base Folder Wizard” window, click on the ellipses button under “Select Folders”.

Page 124
Data Governance Suite
 Varonis Training Lab

24. Within the “Select Base Folders” window click “Search Hosts”.

25. Expand the HUB-DSP server, expand the “C$” share, expand the “Varonis” directory and select the “Finance”
folder then click “OK”.

Page 125
Data Governance Suite
 Varonis Training Lab

26. Click “Add” within the “Add Base Folder Wizard” window.

27. Within the following screen, the administrator can select which permissions are available to the end–users
requesting access to this folder. Next, select the permissions that people will be able to request, when
requesting access to the “Finance” folder. Place a check in the box next to both Read and Write. Overwrite the
existing group names that will be assigned within Active Directory to “fin-read” for read permissions and “fin-
write” for write permissions. Also, select “Bypass Group Authorization”, then click “Next”.

Page 126
Data Governance Suite
 Varonis Training Lab

28. We will now select the Data Owner for the Finance Folder. The Data Owner is responsible for naming an
authorizer or performing the authorization for access to this folder. The Data Owner can also assign business
rules to automatically limit access to this folder. In this case the Data Owner of the Finance folder is Amanda
Roberts. Within the “Select Data Owners” window, click “Add User” to search for the Data Owner.

29. Type “Amanda” in the dialog box and click the search icon. Amanda’s name will appear in the window. Click on
“Amanda Roberts” and then click “OK”.

Page 127
Data Governance Suite
 Varonis Training Lab

30. Within the “Select Data Owners” window, click “Add”. Once added, select the checkbox next to Amanda Roberts
and select “Level 1” from the Authorizer dropdown. This will provision Amanda as both the Data Owner and
Folder Authorizer. Click “Submit” to continue.

Note: Data Owners are managers who are responsible for managed folders. Authorizers are responsible for
approving or declining access requests. If no authorizer is selected, all requests go to the data owner directly.

Page 128
Data Governance Suite
 Varonis Training Lab

31. The following screen will be displayed indicating that the configuration changes were successful. Click “Close”.

32. In summary, we have added the Finance Folder as a managed Folder, we have added 2 permissions (read and
write) and we have assigned Amanda Roberts as the Data Owner/Folder Authorizer. End users can now request
either read or write access to the Finance Folder and they will be authorized to gain access to it by Amanda, who
in this case is a Business Data Owner.

Page 129
Data Governance Suite
 Varonis Training Lab

33. The initial synchronization of the Data Owners between DatAdvantage and DataPrivilege takes place when the
overnight jobs run. After the initial installation, you may want to force this synchronization to occur
immediately. Open the Varonis Management Console.

34. Run the “FileWalk HUB-DSP” job. The FileWalk job may take a few minutes to complete. Once it is complete, you
will see a checkmark in the “Last Run Status” column.

35. Run the “DFS Walk” job. Once it is complete, you will see a checkmark in the “Last Run Status” column.

36. Run the “Pull Walks :: Processing” job. Once it is complete, you will see a checkmark in the “Last Run Status”
column.

Page 130
Data Governance Suite
 Varonis Training Lab

37. DataPrivilege uses Windows Authentication to provide users with the ability to login automatically without re-
entering their credentials in the browser. However, to mimic other users in the following labs, we will disable
this feature to allow you to log in as other users. Open Internet Explorer, click on the settings icon, then
“Internet options”.

38. Go to the “Security” tab, then select on the “Custom Level…” button within the “Local intranet” zone.

Page 131
Data Governance Suite
 Varonis Training Lab

39. Scroll to the bottom of the “Settings” pane to “User Authentication”, select “Prompt for user name and
password” and click “OK”. When the warning (pictured on the right) pops up, click “Yes”.

40. Click “Apply”, followed by “OK”, then close the browser.

Page 132
Data Governance Suite
 Varonis Training Lab

41. Open Chrome on the HUB-DSP server. (If Chrome is already open, please close and reopen it). Navigate to
http://localhost/dp .

42. Use “mhalsey” as the username, and “p@ssword1” as the password when prompted for credentials.

43. Upon logging in, the following screen will display. Click on “Permission Requests” in the navigation pane on the
left.

Page 133
Data Governance Suite
 Varonis Training Lab

44. When submitting a Permission Request, the person submitting the request needs to select or provide the
following:
a. The folder they are requesting access to
b. The operation they are requesting
c. The permissions they are requesting on that folder
d. The reason they require access to that folder
e. Optional - The period of time that they require access to that folder and/or when they would like the
access to begin
On the following screen, click the “Browse” button to search through the list of folders to request access to.

Page 134
Data Governance Suite
 Varonis Training Lab

45. Expand the “vrnslab.se” domain and select the “Finance” folder and click “OK”.

46. Please note that you can change the permissions and operation to the required level of access. In this example,
Melissa Halsey requires Write access to the Finance folder. Select “Write” from the permissions dropdown box.
In addition, enter the reason she is requesting access, as “I will be working in the Finance folder and need
access”. Click “Submit”.

Page 135
Data Governance Suite
 Varonis Training Lab

47. On the next screen, the requestor will see the status of the request. Note that the ability to see the list of
Authorizers is available via a link. Users can view this if required. Close the browser.

Page 136
Data Governance Suite
 Varonis Training Lab

48. Open Chrome on the HUB-DSP server. If it is already open, please close and reopen. Use “aroberts” as the
username and “p@ssword1” as the password when prompted for credentials.

49. Upon logging in, click “Summary” in the left navigation pane, and then click on “Requests waiting for my
approval”.

Page 137
Data Governance Suite
 Varonis Training Lab

50. The following screen will display. Click on the “Request details” icon next to the request.

51. Within the “Request Details” window, the Authorizer can:

a. Approve or deny the request
b. Change the permissions that are approved for this request
c. Set an expiration date on the access
In this case, we will have Amanda Roberts approve the request. Click Approve, enter “OK, Approved” as an
explanation text and then select the “Approve” button again.

Page 138
Data Governance Suite
 Varonis Training Lab

52. At this point, the user, Melissa Halsey, has been added to the fin-write group which DP added to the “Finance”
folder’s ACL. By reviewing the security settings on the “Finance” folder, you will see that the “fin-read” and “fin-
write” groups have been added to the “Finance” folder’s ACL. These were added automatically when the
“Finance” folder was added to DP. Within windows explorer, navigate to the Finance folder.

53. Right click on the “Finance” folder and select “Properties”.

Page 139
Data Governance Suite
 Varonis Training Lab

54. Navigate to the “Security” tab.

55. Both the “fin-write” and “fin-read” groups have been added to the Finance folder ALC.

56. In addition, if you review the Groups within the DP OU (Varonis) in AD (HUB-DC), you will see that Melissa is now
part of the “fin-write” group which is assigned to the “Finance” folder’s ACL.

Page 140
Data Governance Suite
 Varonis Training Lab

Lab 12: Adding a Data Owner and Base Folder to DataPrivilege from DatAdvantage

Overview: The process of configuring a folder in DataPrivilege as described in this lab can also be completed by
assigning a Data Owner in DatAdvantage and then allowing the synchronization service to populate the owner
information to DataPrivilege. Once this is completed, the newly managed folder will be visible within DataPrivilege as a
base folder, however the Active Directory groups used for permission requests, will still need to be configured manually.

1. Open the DA GUI and navigate to the desired folder. In this example we will use the Legal folder
(“C:\Varonis\Legal”) on HUB-DSP.

Page 141
Data Governance Suite
 Varonis Training Lab

2. A Data Owner can be assigned within DatAdvantage in many locations including the Work Area. Within the
“Recommended Users and Groups” pane, search for the user’s name, “Bob”, in the “Look for” textbox, then drag
and drop the owner onto the desired folder. When the dialog box opens asking if you are sure you want to set
the user as the owner, click “Yes”. This will make the user the Data Owner of the specified folder giving the user
the ability to manage access to this folder without the involvement of the IT department.

3. The icon next to the specified folder will change to “Managed, pending synchronization” which indicates that
the folder is now owned, however the system must synchronize with DataPrivilege.

Page 142
Data Governance Suite
 Varonis Training Lab

4. Right-click on the specified folder and select “Manage Ownership”.

5. Validate that the “Status” for Bob Barron is set to “Synchronized” and click “OK”. If not, wait a minute and check
again before proceeding.

Page 143
Data Governance Suite
 Varonis Training Lab

6. The folder icon will now change within DatAdvantage indicating successful synchronization with DataPrivilege.

7. On the HUB-DSP server, open Chrome and login to DataPrivilege using “vrnslab\itadmin” for the username and
“p@ssword1” for the password.

8. Click “Administration”, then “Base Folders” and then expand the “vrnslab.se” domain. Note that the newly
added base folder is grayed out because it does not have permissions assigned to it. Once the permissions are
assigned, the folder will turn yellow.

Page 144
Data Governance Suite
 Varonis Training Lab

9. Select the newly added base folder “Legal” and click “Edit”.

10. Create two new groups, “Legal-Read” for Read and “Legal-Write” for Write. Check off “Bypass Group
Authorization” and click “Submit”.

Page 145
Data Governance Suite
 Varonis Training Lab

11. Click “Close” on the prompt confirming the changes.

12. The newly added base folder is now yellow, indicating that people can now request access to it (this may take a
few minutes to process and you will need to refresh the web page to see this).

This completes the Basic Installation Lab. Please proceed to take the quiz.

Page 146
Data Governance Suite