In Windows systems, a Group Policy Object (GPO for short) is a feature that allows an administrator to tune the operating system’s settings and they’re widely used in Active Directory environments. GPOs are created in the Domain Controller and get applied to clients based on their position in the domain tree. Also, GPOs are capable of many tasks, and among them is the assignment of software programs to client workstations.

In this guide, we are going to create a policy to automate the deployment of the Wazuh agent on a Windows network with any number of workstations. The agent is published as an MSI package. This type of package is executed by the Windows Installer (msiexec.exe) which is in charge of registering the software on the system and configuring its settings.

Prerequisites

  • Wazuh Manager
  • Windows Server 2008 or newer
  • Windows Workstations (XP or newer)

Microsoft Transform File (MST)

The MSI package format contains a parameter database along with the actual program and installer utilities. In order to automate the agent installation, we’ll need to create a Transformation or MST (Microsoft Transform File) which will modify the parameter database at installation time. The MST file can be created with a number of software programs, but for the sake of simplicity, we’re choosing Orca.

First, let’s download the latest version of the Wazuh agent for Windows and place it in a local folder in your Windows computer.

  1. Download the latest version of Wazuh agent in a local folder in your Windows computer.
  2. Download and install Orca. (it comes bundled in the Windows SDK Components for Windows Installer Developers).

The Orca interface has several options, but our use case will be fairly basic.

Orca Interface

We’ll proceed to open the Wazuh agent MSI package with Orca. The interface shows the MSI internal database with a large number of options to personalize the package installation. Our subject of interest will be the Property table.

Wazuh Agent MSI's Property table

This Property table is where the MSI options get stored. You can see the default values there, but you can add any deployment variable supported by the Wazuh agent. Let’s take a look at the full reference.

In our example use case we already have a working Wazuh Manager with IP 192.168.5.10. Our protocol of choice will be UDP, and agent authentication is required with the password BlueWolf.

To accomplish this we’ll need to create a new Transformation and add a few rows to the Property table. First click on Transform > New Transform. Let’s go to the Property table and right-click on the table area, select Add Row, you’ll see a new dialog which accepts property and a value.

Orca New Row

Let’s add these, one by one:

  • ADDRESS: 192.168.5.10
  • AUTHD_SERVER: 192.168.5.10
  • PROTOCOL: UDP
  • PASSWORD: BlueWolf

Orca transform

The interface should be looking like this last image. Orca is highlighting the Transformation (basically a diff file), and this is what our transformation will have inside (although not in plain text). Let’s proceed and save changes. Click Transform > Generate Transform and save it to a file, let’s call it custom.mst for this example.

Creating a Group Policy

Now we have two files, wazuh-agent.msi and custom.mst, so we’re ready to start implementing the Group Policy. Let’s copy these two files to our Domain Controller (named dc1 in our example, you should use your own) and share it on a network folder named wazuh-agent with permissions for the security group Everyone (or you can reuse an existing share with these permissions).

Make sure that this folder is reachable from a workstation, Win+R and execute \\dc1\wazuh-agent. You should see both files.

Wazuh Agent on a Network Share

Let’s go back to the Domain Controller Win+R and execute gpmc.msc. This will start the GPO editor on the Management Console.

Active Directory

Let’s expand on our domain (corp.example.net) and right click on Group Policy Objects. Then select Create New, give it a name like Install Wazuh Agent and use None as Source Starter GPO.

You’ll see the new policy was created under Group Policy Objects, and let’s proceed to edit. Right click and select Edit, then open Computer Configuration > Policies > Software Settings > Software Installation and right click New > Package.

GPO New Package

An Open File dialog will pop up, after that:

  1. Select wazuh-agent.msi from the network share at \\dc1\wazuh-agent\wazuh-agent.msi and click OK.
  2. Select Deployment method: Advanced and the Wazuh Agent properties will show up, select the tab Modifications, click Add and select our custom.mst at \\dc1\wazuh-agent\custom.mst.

The Group Policy is ready, if you go to the Settings tab and click show all, you’ll be able to see the details. Our next step is applying this Policy to the right Organizational Unit.

You have two options to enable the Policy, you can select the new policy and drag it into the desired OU, or click the OU directly and select Link an Existing GPO. Then select Install Wazuh Agent (or any other name you used) and you’re done. The timing for when the agent will be installed depends on the time when the workstations sync GPO and apply the changes, and most likely on system startup.

Best practices recommend the creation of a new Organizational Unit with a disposable Windows workstation (a virtual machine will do) and to try your policy with it. Once you’re getting the desired outcome then it’s fine to apply the policy to the rest of the domain.

Remember you can force Windows to synchronize Group Policy by issuing a gpupdate /force at the command prompt.

As soon as the policy gets applied, clients should start to show up on the manager. You can list registered agents with /var/ossec/bin/manage_agents -l

ID: 001, Name: operations-desktop, IP: 192.168.5.210
ID: 002, Name: dc1, IP: 192.168.5.200

Stats will be available at the Wazuh plugin on Kibana.

Kibana showing Windows agents

We have learned how to deploy the Wazuh agent on a Windows Active Directory infrastructure using Group Policy Objects (GPO). All we have done is to define a Transformation file with our environment’s specific details and then apply it through a policy.

References