Vulnerability Scanning Onboarding Steps

Rapid 7 InsightVM

Contents
Document Control ............................................................................................................................................... 1
Introduction ......................................................................................................................................................... 2
Scans .................................................................................................................................................................... 2
All Networks .................................................................................................................................................... 2
1. External PCI Scan ..................................................................................................................................... 2
2. Internal Vulnerability Scan ....................................................................................................................... 2
3. Host Discovery Scan ................................................................................................................................. 2
Specific Networks ............................................................................................................................................ 2
4. Basic Web App Scan................................................................................................................................. 2
5. Hardening Compliance Scan .................................................................................................................... 2
Requirements .................................................................................................................................................. 3
Network ....................................................................................................................................................... 3
Scan Engine .................................................................................................................................................. 3
Agent ........................................................................................................................................................... 3
Software Installation Steps .................................................................................................................................. 4
Scan Engine ...................................................................................................................................................... 4
Agent ............................................................................................................................................................... 8
Central Deployment..................................................................................................................................... 8
Manual Installation ...................................................................................................................................... 8
Next Steps ............................................................................................................................................................ 9

Document Control
Version Reviewer / Author Comment Review Date
1.00 Danny Chrismas Create initial onboarding steps 21/03/24
1.10 Danny Chrismas Amend Agent Instructions 02/04/24
1.20 Danny Chrismas Clarify Extraction and Engine Secret 17/05/24
1.30 Amended Agent Instructions

Page 1 of 9
Introduction
This document provides the instructions for installing and configuring the software solution for the network
scanning. The software solution comprises several components that work in synergy to deliver a robust scan
of the hotel environment.

The document assumes that you have basic knowledge of the network and systems in use at the hotel for the
installation of the software. The document also assumes that you have the necessary permissions and access
rights to perform the installation and configuration tasks. If you encounter any questions or issues during the
installation process, please contact the support team at itservices@bwhhotels.co.uk or +441904695518.

Scans
This scan is a vulnerability assessment similar to those required within PCI, not a black box penetration test
where you would look to stop the attacker from ever gaining access. The aim here is to allow us to see if
there are any vulnerabilities that could be exploited if the attacker gained access to your network. For this to
work, the IP addresses of the scanners must be added.

There will be up to five scans configured for the environment depending on requirements.

All Networks
1. External PCI Scan
The external scan will assess the perimeter of the network to check for possible vulnerabilities or a route into
the network.

2. Internal Vulnerability Scan

Performed by the Scan Engine for the local subnets. May cause some printers (e.g., Konica Minolta) to print
blank pages or gibberish whilst the scan is ongoing for that device – these can be discarded.

3. Host Discovery Scan

Scans the network to see the quantity of devices and the types of devices for us to configure the internal
scanner accurately.

Specific Networks
4. Basic Web App Scan
Public facing applications on the network for example a PMS web page or room service application. (Complex
web scans can be performed however these are an additional cost).

5. Hardening Compliance Scan

Audits the policies on the devices against baseline compliance with CIS, DISA and Microsoft.

Page 2 of 9
Requirements
Network
Please ensure the below IPs of our cloud scanners are added to the allowlist to connect to the firewall and
not be filtered or rate limited for Intrusion Prevention and Threat Protection:

62.255.171.52/32 18.168.224.128/25 3.124.123.128/25

62.255.171.60/32 3.9.159.128/25 3.67.7.128/25
3.251.224.0/24 35.177.219.0/26 54.93.254.128/26
18.168.180.128/25 18.194.95.64/26

Unfiltered TCP 443 access to:

• r7.bwhhotels.co.uk o 3.120.196.152
• *.insight.rapid7.com o 3.120.221.108
• *.endpoint.ingress.rapid7.com o 18.192.78.218

If your network decrypts traffic in transit to perform deep packet inspection (DPI) using a transparent proxy,
agent-related data must be excluded from this process.

Endpoint Protection software must exclude the below and all subdirectories from real-time and scheduled
scanning:

• Windows - C:\Program Files\Rapid7\ • Mac and Linux - /opt/rapid7/

Scan Engine
OS: Windows 10 or later – Must be 64-bit (x64) Memory: 4GB RAM (8GB Recommended)
CPU: 2x 2GHz cores Disk Space: 30GB Free

Unfiltered access to the local subnets – if network segmentation is in place, do not change anything to allow
a connection between VLANs unless it should already exist (workstation connections to servers for example)

Unfiltered TCP:40815 to r7.bwhhotels.co.uk

More information:

• Nexpose Quick Start Guide

• System Requirements

Agent
OS: Windows 10 or later, Server 2012 or later Disk Space Free: 4GB
CPU: 1 Dual Core Disk Speed: 15-50 IOPS
Memory: 1GB RAM

More Information:

• Operating System Support

• Network Traffic and Connectivity
• Endpoint Protection Software Exclusion

Page 3 of 9
Software Installation Steps
There are several methods for deploying the software required to join the vulnerability scanning service. We
recommend a manual installation of the Scan Engine and a centrally deployed Windows Agent via Intune, or
Group Policy if Intune is not available. Choose the appropriate deployment type for your needs in the
sections in this document.

Please note that we haven’t detailed how to deploy the scanner via Centralised Deployment as it is unlikely
to be applicable to the hotel properties, however if it is then we can do this with the IT provider.

Scan Engine
The scanner should be installed on one device per internet connection. The appropriate installation file can
be downloaded from the following link: Installer and Checksum Downloads.

Note: Please ensure that the scan engine is not installed on a Hyper-V server, or any server that
contains a large amount of depended on files/applications etc… as this scan may take all the
available resources from the server during the scan.

Run the downloaded installation file.

Select “Scan Engine Only,” ensure the “Communication Direction” is “Engine to Console.” Click Next twice.

Page 4 of 9
Leave this box unticked and click next:

Page 5 of 9
Enter your information on the User Details page, with your hotel name as the company.

Page 6 of 9
 This step cannot be skipped!

BWH IT to provide Shared Secret – They have a short time limit of 60 minutes, call us when you’re at this
stage on +441904695518.

If outbound ports are limited, open the firewall as per the requirements before asking for the shared secret.
You should be able to go to https://r7.bwhhotels.co.uk:40815/ and get a certificate warning.

Console Address: r7.bwhhotels.co.uk

Port: 40815 (This should be pre-filled in already)

Shared Secret: *Call BWH IT*

Click Test after entering the Shared Secret and then click Next. If it fails, please call us to troubleshoot.

After the installation has completed, please reboot within 30 minutes to ensure the secret doesn’t expire
during the final installation steps. Once rebooted, please inform BWH IT and provide the public IP address so
the Scan Engine can be configured in the BWH Console and communication confirmed.

Page 7 of 9
Agent
The scanning agent must be installed on all computers and servers.

Once the agent has installed, please send BWH IT the Computer Names and IP Addresses
you collected as part of this process, for each device that the Insight Agent has installed
on. This allows BWH IT to collate the devices in the backend correctly.

Central Deployment
If you have these tools available to install the agent software, it will save a lot of time. It is possible to deploy
using other tools also however we have not tested those.

To get the ProviedToken for the agent installs, please contact BWH IT

Intune
Add application and choose the app type “Line-of-Business App.”

Upload the Windows Agent.msi file and fill in the applicable details if required.

Add the below Command Line Argument, changing the variable to the one you have been provided.

Remove the * only from the below. PublicIP must be spaced with “-“ rather than “.”

CUSTOMTOKEN=*ProvidedToken*

CUSTOMATTRIBUTES=*“PropertyID,PublicIP”*

Assign to all business owned Windows devices.

Connect to Microsoft Graph and initiate a sync on all devices.

Manual Installation
Method 1 – Certificate
To install the scanning agent on Windows, use the folder shared with you to download the “BWH IT.zip” file.
Extract this folder to C:\BWH IT\ and then run the “## Run This ##” file. It should look like the below:

Page 8 of 9
This is only for Windows, if you require other operating systems, please let us know.

Once located, run this script as admin by double clicking it. When the script starts, it will ask you for the
property ID, please ensure you enter this before proceeding with the installation. If you do not know this,
please ask BWH IT and they can provide it to you.

Following that, it will install the agent without any further intervention required. Once the script has run,
ensure you note the IP addresses and hostname. Please make sure the device is left turned on for at least 30
minutes.

If you are unsure whether the agent has installed correctly, check services and look for the below:

Method 2 – Token
The installation file for Windows can be downloaded from the following link.

Copy the file “agent.msi” into “C:\temp” (you may need to create the temp folder)

Open Terminal, PowerShell, or Command Prompt as Admin and enter the below commands. If you are
unsure, skip to the graphical install section.

1. cd /temp
2. msiexec /i “C:\temp\agent.msi” /l*v insight_agent_install_log.log /quiet
CUSTOMTOKEN=*ProvidedToken* CUSTOMATTRIBUTES=”PropertyID,PublicIP”

PublicIP must be spaced with “-“ rather than “.”

Next Steps
BWH IT will configure and run the scans on the network at an arranged time and date. Please ensure all
computers are switched on for the duration of the scans. Once the scans are completed, the results will be
analysed, and a report will be curated by BWH IT. When receiving the report, you will be able to uninstall the
software following another document that will be sent to you alongside the report.

Page 9 of 9