Some Windows sensor RepCLI commands require user authentication. This article explains how to enable authentication.

To enable RepCLI authentication during sensor installation, use the CLI_USERS=sid command line option. See Installing Windows Sensors on Endpoints and Windows Sensor Supported Commands. To enable authentication after the sensor is installed, perform the following steps.

Procedure

  1. In the Carbon Black Cloud console, click Inventory > Endpoints.
  2. Select the endpoint, click Take Action, and click Enable bypass. Confirm the action.
  3. Open a command prompt window as an administrator to perform the remaining steps.
  4. Create a backup of the cfg.ini file.
    For Windows sensor versions 3.6 and earlier, type the following command:
    copy "C:\Program Files\Confer\cfg.ini" "C:\Program Files\Confer\cfg-bkp.ini"
    For Windows sensor versions 3.7 and later, type the following command:
    copy "C:\ProgramData\CarbonBlack\DataFiles\cfg.ini" "C:\ProgramData\CarbonBlack\DataFiles\cfg-bkp.ini"
  5. Append the following parameter to cfg.ini: AuthenticatedCLIUsers=<SID>, where SID is an AD group or user SID. Because only one SID is allowed, do not run this command more than one time. For example:
    echo AuthenticatedCLIUsers=S-1-5-21-992878714-4041223874-2616370337-1001 >> C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
    Caution: It is critical to use >> instead of > in the command syntax. Using > would replace all file contents with the single line that is being added.

    As a best practice, we recommend that you do not use the SID account for the local administrator account because it is well-known and could be used for malicious purposes by an attacker. We recommend that you specify the SID of an AD Group. In that way, you can enable authentication based on a single SID, instead of using RepCLI authenticated commands as a single user or using a shared account (less secure). You can update group membership as needed to allow additional secured use of RepCLI.

  6. Verify that the inserted value is saved in cfg.ini.
    For Windows sensor versions 3.6 and earlier, type the following command:
    findstr "Authenticated" "C:\Program Files\Confer\cfg.ini"
    For Windows sensor versions 3.7 and later, type the following command:
    findstr "Authenticated" "C:\ProgramData\CarbonBlack\DataFiles\cfg.ini"
  7. After you have verified the cfg.ini contents, delete the cfg-bkp.ini file that you created in Step 4.
  8. Change to the RepCLI directory; this is C:\Program Files\Confer.
  9. Run the following RepCLI command: repcli updateconfig.
  10. Disable bypass by running repcli bypass 0.
    Note: If Step 10 fails, it is most likely due to an error in cfg.ini or that you are not a member of the AD group that is identified by the SID. To determine the latter case, type whoami /groups.