Windows Server

Configuring the Veza integration for Windows Server

Overview

The Veza integration for Windows Server comprises an OAA package and a collection of .NET 6.0 applications. These tools discover metadata from a Windows Server host and forward it to a Veza instance. The application package comes as an MSI installer for deployment on Windows Server.

Components

The Veza Windows OAA application includes:

A service that discovers local groups, user accounts, services, and scheduled tasks within the Windows Server OS.
A service to detect Active Directory filesystem permissions on SMB file shares.
A GUI application for configuring discovery services and setting up the Veza connection.

Prerequisites

Windows Server 2012 or newer.
The .NET 6.0 runtime must be pre-installed before deploying the Veza MSI.
You will need the installation program from Veza, available here

Windows Local Accounts

This service identifies local security principals on the Windows Server host. By default, it detects:

Local user accounts
Local groups
(Optional) Installed services
(Optional) Configured scheduled tasks

Properties

User Properties Description

User Properties	Description
`cannot_change_password`	Indicates if the user's password can't be changed (boolean)
`locked_out`	Shows if the user account is locked out (boolean)
`password_never_expires`	Checks if the user's password is set to never expire (boolean)
`password_not_required`	Checks if the user doesn't need a password (boolean)
`type`*	Differentiates between `local` or `active directory` user accounts (string)

cannot_change_password

Indicates if the user's password can't be changed (boolean)

locked_out

Shows if the user account is locked out (boolean)

password_never_expires

Checks if the user's password is set to never expire (boolean)

password_not_required

Checks if the user doesn't need a password (boolean)

type*

Differentiates between local or active directory user accounts (string)

Group Properties Details

Group Properties	Details
`type`*	Specifies if the group is `local` or associated with `active directory` (string)

type*

Specifies if the group is local or associated with active directory (string)

Scheduled Task Properties Details

Scheduled Task Properties	Details
`path`	Full path of the scheduled task (string)
`state`	Current state: `Ready`, `Running`, `Disabled`, etc. (string)

path

Full path of the scheduled task (string)

state

Current state: Ready, Running, Disabled, etc. (string)

Service Properties Details

Service Properties	Details
`service_account_name`	Account used to run the service (string)
`start_type`	Start type: `Automatic`, `Manual`, etc. (string)
`status`	Current status: `Running`, `Stopped`, etc. (string)

service_account_name

Account used to run the service (string)

start_type

Start type: Automatic, Manual, etc. (string)

status

Current status: Running, Stopped, etc. (string)

Note (*): Local groups on Windows Server can contain both Active Directory subgroups and local user accounts. The type property distinguishes between the two entities.

Windows Files

This service discovers filesystem permissions for specified paths and subdirectories based on the set depth. It primarily identifies:

Filesystem paths
Active Directory users and groups with permissions on each path
Permission inheritance

Limitations

Designed for SMB file shares utilizing Active Directory permissions.
Metadata from security principals that do not correlate to Active Directory users or groups is omitted before sending data to Veza.

Setup and Configuration

Veza Setup

Note down your Veza tenant URL.
Produce an API key: Navigate to Administration > API Keys > Add New API Key.

Installation

Run the Veza.msi installation program and follow the on-screen prompts. By default, the application installs in C:\Program Files\Veza.

Post-installation, open Veza Configuration from the Start menu.

Under the Veza API tab, input your Veza instance URL into Veza URL.
Paste the previously created API key into Veza API Key.
Click Apply.

To verify the successful connection, log in to Veza and open the Integrations page. You should see Windows Server enabled on the list of all integrations.

Local Accounts

In Local Accounts, adjust settings as desired:

Option Purpose

Option	Purpose
`Enabled`	Toggles discovery
`Discovery Interval`	Sets interval between discovery runs (min: 60 minutes)
`Include Services`	Enables service discovery
`Include Scheduled Tasks`	Activates scheduled task data discovery

Enabled

Toggles discovery

Discovery Interval

Sets interval between discovery runs (min: 60 minutes)

Include Services

Enables service discovery

Include Scheduled Tasks

Activates scheduled task data discovery

Files

In Files, customize as needed:

Option Purpose

Option	Purpose
`Enabled`	Toggles discovery
`Discovery Interval`	Time gap between discoveries (min: 120 minutes)
`Discovery Threads`	Sets concurrent discovery threads
`Paths`	Use `Add Path` to specify discovery paths

Enabled

Toggles discovery

Discovery Interval

Time gap between discoveries (min: 120 minutes)

Discovery Threads

Sets concurrent discovery threads

Paths

Use Add Path to specify discovery paths

Advanced

Adjust the service's log level from the drop-down list. By default, logs are saved at C:\Program Files\Veza\vezawindows.log and C:\Program Files\Veza\vezafiles.log.

PreviousTrello NextWorkato

Last updated 1 month ago