Windows Server

Deployment Guide for Veza Windows Server Integration

Last updated 1 month ago

Was this helpful?

Windows Server

Deployment Guide for Veza Windows Server Integration

Overview

The Veza integration for Windows Server comprises an OAA package and a collection of .NET 8.0 applications. These tools discover metadata from a Windows Server host and forward it to a Veza instance. The application package comes as an MSI installer for deployment on Windows Server.

Components

The Veza Windows OAA application includes:

A service that discovers local groups, user accounts, services, and scheduled tasks within the Windows Server OS.
A service to detect Active Directory filesystem permissions on SMB file shares.
A GUI application for configuring discovery services and setting up the Veza connection.

Prerequisites

Windows Server 2012 R2 or newer
.NET 8.0 Runtime (included in the installer)
You will need the installation program from Veza, available

Deployment Specifications

System Requirements

Resource

Requirement

Notes

Memory

< 50MB RAM

During normal operation

Disk Space

~300MB

For application installation

Additional Disk Space

Varies

Up to 1GB for logs when using Debug level

Network

Outbound HTTPS (443)

To Veza tenant

Permissions

Local Administrator

Required for installation and operation

Performance Impact

The Veza Windows integration is engineered to operate with minimal resource utilization across enterprise environments:

CPU Utilization: Typically insignificant during standard metadata collection operations
Memory Consumption: <50MB RAM during normal operational cycles
Network Bandwidth: Optimized data transmission with lightweight payloads transmitted at configurable intervals (default: 60 minutes)
Storage I/O: Negligible impact on storage subsystems outside of scheduled log maintenance or diagnostic activities

Operational Schedule

By default, the application collects and sends metadata to Veza every 60 minutes
This interval can be configured between 1 hour and 1 day to suit your organizational requirements
For file share discovery, a minimum interval of 120 minutes is recommended

Log Management

The application stores 14 days of logging information
Logs are automatically purged as they age out
At the standard Info level, log storage is negligible
At Debug level, logs may consume up to 1GB of disk space
Log locations:
- C:\Program Files\Veza\Local Accounts\logs\VezaWindows.log
- C:\Program Files\Veza\Folders\logs\VezaFiles.log

Installation

Deployment Options

The Veza Windows integration supports both manual and automated deployment methods:

Manual Installation

Run the Veza.msi installation program and follow the on-screen prompts. By default, the application installs in C:\Program Files\Veza.

Silent Installation (for automated deployment)

The MSI package supports standard silent installation parameters for enterprise deployment:

# Basic silent install
msiexec /i Veza.msi /qn

# Install with specific log file
msiexec /i Veza.msi /qn /l*v install.log

# Install to custom directory
msiexec /i Veza.msi /qn INSTALLDIR="D:\Applications\Veza"

Post-Installation Configuration

For enterprise deployments across multiple servers, Veza recommends the following workflow:

Deploy the MSI to target machines using your preferred orchestration tool (SCCM, PDQ Deploy, etc.)
Deploy a standardized configuration file to C:\Program Files\Veza\Veza.config
Execute a script to securely store the Veza API key:

# Store API key (this encrypts the key using Windows Data Protection API)
C:\Program Files\Veza\VezaWindowsTray.exe --api_key=<veza_api_key>

Example Configuration File

Below is a standard configuration template that can be customized for your environment:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <configSections>
  <section name="PathConfigurationSection" type="Veza.Integrations.PathConfigurationDataSection, PathConfiguration, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
 </configSections>
 <PathConfigurationSection>
  <PathConfigurations>
  <!-- Define your standard file paths here -->
  </PathConfigurations>
 </PathConfigurationSection>
 <appSettings>
  <!-- Local Account Collection Settings -->
  <add key="windows_local_accounts-enabled" value="true" />
  <add key="windows_local_accounts-interval" value="60" />
  <add key="windows_local_accounts-services_enabled" value="true" />
  <add key="windows_local_accounts-tasks_enabled" value="true" />
  <add key="windows_local_accounts-save_json" value="false"/>

  <!-- Veza API Connection Settings -->
  <add key="veza-api_key" value="YOUR_API_KEY_PLACEHOLDER" />
  <add key="veza-url" value="https://YOUR_TENANT.vezacloud.com" />
  <add key="veza-loglevel" value="Info" />

  <!-- File Share Discovery Settings -->
  <add key="windows_files-enabled" value="true" />
  <add key="windows_files-interval" value="120" />
  <add key="windows_files-threads" value="1" />
  <add key="windows_files-save_json" value="false"/>
 </appSettings>
</configuration>

Automated Deployment Example

For large-scale deployments to multiple servers, you can use a script like this:

# 1. Deploy MSI package
msiexec /i Veza.msi /qn

# 2. Deploy golden configuration file
Copy-Item "\\deployment-share\Veza\Veza.config" -Destination "C:\Program Files\Veza\Veza.config" -Force

# 3. Securely store API key (this encrypts the key using Windows Data Protection API)
Start-Process -FilePath "C:\Program Files\Veza\VezaWindowsTray.exe" -ArgumentList "--api_key=YOUR_ACTUAL_API_KEY" -NoNewWindow -Wait

This approach securely manages the API key as it is encrypted and decrypted using LocalMachine credentials via the Windows Data Protection API.

GUI Configuration (manual deployment)

Post-installation, open Veza for Windows from the Start menu.

Under the Veza API tab, input your Veza instance URL into Veza URL.
Paste the previously created API key into Veza API Key.
Click Apply.

To verify the successful connection, log in to Veza and open the Integrations page. You should see Windows Server enabled on the list of all integrations.

Note: The installed service needs to run with Administrative privileges.

Security Considerations

API Key Management

The Veza Windows integration uses an API key to authenticate with the Veza tenant. Important security considerations include:

Key Generation: API keys are issued from the Veza tenant by users with administrative access
Key Deployment Options:
- Deploy a unique key per server for the highest security
- Deploy a shared key across all servers for simplified management
- Deploy keys by department or region for balanced security and management
Key Storage:
- The API key is encrypted using Windows Data Protection API
- Stored in the configuration file at C:\Program Files\Veza\Veza.config
Key Rotation:
- Keys are not automatically rotated
- Keys can be manually deleted and replaced with new ones via the Veza tenant
Key Compromise:
- A compromised key would grant access to the endpoints listed in Veza APIs
- Immediately delete and replace any compromised keys

See Authentication for more about Veza API keys.

Network Security

The Veza Windows integration requires:

Outbound HTTPS (443) access to the Veza tenant or Insight Point
All data is transmitted using TLS 1.2 or higher

No inbound connectivity is required.

Update Management

The Veza for Windows application follows a separate release cadence from the Veza platform:

Updates are released only for bug fixes, security bulletins, and feature enhancements
Updates are manually deployed via new MSI packages published by Veza
No automatic updates are performed
Update notifications are sent to tenant administrators

To update existing installations:

Download the latest MSI from Veza
Deploy using the same methods as the initial installation
The installation program will automatically upgrade the existing installation

Configuration settings are preserved during upgrades.

Standard Functionality

Windows Local Accounts

This service identifies local security principals on the Windows Server host. By default, it detects:

Local user accounts
Local groups
(Optional) Installed services
(Optional) Configured scheduled tasks

Properties

User Properties

Description

cannot_change_password

Indicates if the user's password can't be changed (boolean)

locked_out

Shows if the user account is locked out (boolean)

password_never_expires

Checks if the user's password is set to never expire (boolean)

password_not_required

Checks if the user doesn't need a password (boolean)

type*

Differentiates between local or active directory user accounts (string)

Group Properties

Details

type*

Specifies if the group is local or associated with active directory (string)

Scheduled Task Properties

Details

path

Full path of the scheduled task (string)

state

Current state: Ready, Running, Disabled, etc. (string)

Service Properties

Details

service_account_name

Account used to run the service (string)

start_type

Start type: Automatic, Manual, etc. (string)

status

Current status: Running, Stopped, etc. (string)

Note (*): Local groups on Windows Server can contain both Active Directory subgroups and local user accounts. The type property distinguishes between the two entities.

Windows Files

This service discovers filesystem permissions for specified paths and subdirectories based on the set depth. It primarily identifies:

Filesystem paths
Active Directory users and groups with permissions on each path
Permission inheritance

Limitations

Designed for SMB file shares utilizing Active Directory permissions
Metadata from security principals that do not correlate to Active Directory users or groups is omitted before sending data to Veza
Enumerating large shares can be more memory-intensive and will increase the RAM requirement during execution

Configuration Options

Local Accounts

In Local Accounts, adjust settings as desired:

Option

Purpose

Enabled

Toggles discovery (check mark to enable discovery)

Discovery Interval

Sets interval between discovery runs (min: 60 minutes)

Include Services

Enables service discovery (optional)

Include Scheduled Tasks

Activates scheduled task data discovery (optional)

Files

In Folders, customize as needed:

Option

Purpose

Enabled

Toggles discovery

Discovery Interval

Time gap between discoveries (min: 120 minutes)

Discovery Threads

Sets concurrent discovery threads

Paths

Use Add Path to specify discovery paths

Troubleshooting

Common Issues

If you encounter connection failures:
- Verify network connectivity to the Veza tenant
- Check API key validity in the Veza tenant
- Ensure correct URL format (e.g. https://tenant-name.vezacloud.com)
For issues with high resource usage:
- If memory usage exceeds 50MB during normal operation, check file share sizes
- Reduce the number of discovery threads for file shares
- Increase discovery intervals
Log Analysis:
- You can adjust the service's log level using the dropdown menu. By default, logs are saved at C:\Program Files\Veza\Local Accounts\logs\VezaWindows.log and C:\Program Files\Veza\Folders\logs\VezaFiles.log.
- Set log level to Debug temporarily to gather more information for troubleshooting and support requests.
- Reduce the logging level after troubleshooting to minimize disk usage

Support

For additional assistance, contact Veza Support at support@veza.com or through your account representative.

PreviousVeza NextWorkato

Last updated 1 month ago

Was this helpful?

Overview

Components

The Veza Windows OAA application includes:

A service that discovers local groups, user accounts, services, and scheduled tasks within the Windows Server OS.
A service to detect Active Directory filesystem permissions on SMB file shares.
A GUI application for configuring discovery services and setting up the Veza connection.

Prerequisites

Windows Server 2012 R2 or newer
.NET 8.0 Runtime (included in the installer)
You will need the installation program from Veza, available

Deployment Specifications

System Requirements

Resource

Requirement

Notes

Memory

< 50MB RAM

During normal operation

Disk Space

~300MB

For application installation

Additional Disk Space

Varies

Up to 1GB for logs when using Debug level

Network

Outbound HTTPS (443)

To Veza tenant

Permissions

Local Administrator

Required for installation and operation

Performance Impact

The Veza Windows integration is engineered to operate with minimal resource utilization across enterprise environments:

CPU Utilization: Typically insignificant during standard metadata collection operations
Memory Consumption: <50MB RAM during normal operational cycles
Network Bandwidth: Optimized data transmission with lightweight payloads transmitted at configurable intervals (default: 60 minutes)
Storage I/O: Negligible impact on storage subsystems outside of scheduled log maintenance or diagnostic activities

Operational Schedule

By default, the application collects and sends metadata to Veza every 60 minutes
This interval can be configured between 1 hour and 1 day to suit your organizational requirements
For file share discovery, a minimum interval of 120 minutes is recommended

Log Management

The application stores 14 days of logging information
Logs are automatically purged as they age out
At the standard Info level, log storage is negligible
At Debug level, logs may consume up to 1GB of disk space
Log locations:
- C:\Program Files\Veza\Local Accounts\logs\VezaWindows.log
- C:\Program Files\Veza\Folders\logs\VezaFiles.log

Installation

Deployment Options

The Veza Windows integration supports both manual and automated deployment methods:

Manual Installation

Run the Veza.msi installation program and follow the on-screen prompts. By default, the application installs in C:\Program Files\Veza.

Silent Installation (for automated deployment)

The MSI package supports standard silent installation parameters for enterprise deployment:

# Basic silent install
msiexec /i Veza.msi /qn

# Install with specific log file
msiexec /i Veza.msi /qn /l*v install.log

# Install to custom directory
msiexec /i Veza.msi /qn INSTALLDIR="D:\Applications\Veza"

Post-Installation Configuration

For enterprise deployments across multiple servers, Veza recommends the following workflow:

Deploy the MSI to target machines using your preferred orchestration tool (SCCM, PDQ Deploy, etc.)
Deploy a standardized configuration file to C:\Program Files\Veza\Veza.config
Execute a script to securely store the Veza API key:

# Store API key (this encrypts the key using Windows Data Protection API)
C:\Program Files\Veza\VezaWindowsTray.exe --api_key=<veza_api_key>

Example Configuration File

Below is a standard configuration template that can be customized for your environment:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <configSections>
  <section name="PathConfigurationSection" type="Veza.Integrations.PathConfigurationDataSection, PathConfiguration, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
 </configSections>
 <PathConfigurationSection>
  <PathConfigurations>
  <!-- Define your standard file paths here -->
  </PathConfigurations>
 </PathConfigurationSection>
 <appSettings>
  <!-- Local Account Collection Settings -->
  <add key="windows_local_accounts-enabled" value="true" />
  <add key="windows_local_accounts-interval" value="60" />
  <add key="windows_local_accounts-services_enabled" value="true" />
  <add key="windows_local_accounts-tasks_enabled" value="true" />
  <add key="windows_local_accounts-save_json" value="false"/>

  <!-- Veza API Connection Settings -->
  <add key="veza-api_key" value="YOUR_API_KEY_PLACEHOLDER" />
  <add key="veza-url" value="https://YOUR_TENANT.vezacloud.com" />
  <add key="veza-loglevel" value="Info" />

  <!-- File Share Discovery Settings -->
  <add key="windows_files-enabled" value="true" />
  <add key="windows_files-interval" value="120" />
  <add key="windows_files-threads" value="1" />
  <add key="windows_files-save_json" value="false"/>
 </appSettings>
</configuration>

Automated Deployment Example

For large-scale deployments to multiple servers, you can use a script like this:

# 1. Deploy MSI package
msiexec /i Veza.msi /qn

# 2. Deploy golden configuration file
Copy-Item "\\deployment-share\Veza\Veza.config" -Destination "C:\Program Files\Veza\Veza.config" -Force

# 3. Securely store API key (this encrypts the key using Windows Data Protection API)
Start-Process -FilePath "C:\Program Files\Veza\VezaWindowsTray.exe" -ArgumentList "--api_key=YOUR_ACTUAL_API_KEY" -NoNewWindow -Wait

This approach securely manages the API key as it is encrypted and decrypted using LocalMachine credentials via the Windows Data Protection API.

GUI Configuration (manual deployment)

Post-installation, open Veza for Windows from the Start menu.

Under the Veza API tab, input your Veza instance URL into Veza URL.
Paste the previously created API key into Veza API Key.
Click Apply.

To verify the successful connection, log in to Veza and open the Integrations page. You should see Windows Server enabled on the list of all integrations.

Note: The installed service needs to run with Administrative privileges.

Security Considerations

API Key Management

The Veza Windows integration uses an API key to authenticate with the Veza tenant. Important security considerations include:

Key Generation: API keys are issued from the Veza tenant by users with administrative access
Key Deployment Options:
- Deploy a unique key per server for the highest security
- Deploy a shared key across all servers for simplified management
- Deploy keys by department or region for balanced security and management
Key Storage:
- The API key is encrypted using Windows Data Protection API
- Stored in the configuration file at C:\Program Files\Veza\Veza.config
Key Rotation:
- Keys are not automatically rotated
- Keys can be manually deleted and replaced with new ones via the Veza tenant
Key Compromise:
- A compromised key would grant access to the endpoints listed in Veza APIs
- Immediately delete and replace any compromised keys

See Authentication for more about Veza API keys.

Network Security

The Veza Windows integration requires:

Outbound HTTPS (443) access to the Veza tenant or Insight Point
All data is transmitted using TLS 1.2 or higher

No inbound connectivity is required.

Update Management

The Veza for Windows application follows a separate release cadence from the Veza platform:

Updates are released only for bug fixes, security bulletins, and feature enhancements
Updates are manually deployed via new MSI packages published by Veza
No automatic updates are performed
Update notifications are sent to tenant administrators

To update existing installations:

Download the latest MSI from Veza
Deploy using the same methods as the initial installation
The installation program will automatically upgrade the existing installation

Configuration settings are preserved during upgrades.

Standard Functionality

Windows Local Accounts

This service identifies local security principals on the Windows Server host. By default, it detects:

Local user accounts
Local groups
(Optional) Installed services
(Optional) Configured scheduled tasks

Properties

User Properties

Description

cannot_change_password

Indicates if the user's password can't be changed (boolean)

locked_out

Shows if the user account is locked out (boolean)

password_never_expires

Checks if the user's password is set to never expire (boolean)

password_not_required

Checks if the user doesn't need a password (boolean)

type*

Differentiates between local or active directory user accounts (string)

Group Properties

Details

type*

Specifies if the group is local or associated with active directory (string)

Scheduled Task Properties

Details

path

Full path of the scheduled task (string)

state

Current state: Ready, Running, Disabled, etc. (string)

Service Properties

Details

service_account_name

Account used to run the service (string)

start_type

Start type: Automatic, Manual, etc. (string)

status

Current status: Running, Stopped, etc. (string)

Note (*): Local groups on Windows Server can contain both Active Directory subgroups and local user accounts. The type property distinguishes between the two entities.

Windows Files

This service discovers filesystem permissions for specified paths and subdirectories based on the set depth. It primarily identifies:

Filesystem paths
Active Directory users and groups with permissions on each path
Permission inheritance

Limitations

Designed for SMB file shares utilizing Active Directory permissions
Metadata from security principals that do not correlate to Active Directory users or groups is omitted before sending data to Veza
Enumerating large shares can be more memory-intensive and will increase the RAM requirement during execution

Configuration Options

Local Accounts

In Local Accounts, adjust settings as desired:

Option

Purpose

Enabled

Toggles discovery (check mark to enable discovery)

Discovery Interval

Sets interval between discovery runs (min: 60 minutes)

Include Services

Enables service discovery (optional)

Include Scheduled Tasks

Activates scheduled task data discovery (optional)

Files

In Folders, customize as needed:

Option

Purpose

Enabled

Toggles discovery

Discovery Interval

Time gap between discoveries (min: 120 minutes)

Discovery Threads

Sets concurrent discovery threads

Paths

Use Add Path to specify discovery paths

Troubleshooting

Common Issues

If you encounter connection failures:
- Verify network connectivity to the Veza tenant
- Check API key validity in the Veza tenant
- Ensure correct URL format (e.g. https://tenant-name.vezacloud.com)
For issues with high resource usage:
- If memory usage exceeds 50MB during normal operation, check file share sizes
- Reduce the number of discovery threads for file shares
- Increase discovery intervals
Log Analysis:
- You can adjust the service's log level using the dropdown menu. By default, logs are saved at C:\Program Files\Veza\Local Accounts\logs\VezaWindows.log and C:\Program Files\Veza\Folders\logs\VezaFiles.log.
- Set log level to Debug temporarily to gather more information for troubleshooting and support requests.
- Reduce the logging level after troubleshooting to minimize disk usage

Support

For additional assistance, contact Veza Support at support@veza.com or through your account representative.