Deployment

The Shield Cyber Services must be installed on currently supported Windows Operating Systems, e.g., Windows Server 2016 and higher; Windows 10 and higher.
To deploy the Shield Active Directory (AD) service, navigate to the Deployment (Identity-Security) page and the Shield platform has a pre-generated deployment PowerShell script that can be executed on a single domain-joined Windows server or workstation. Once at the Deployment page, to generate the deployment PowerShell script, enter a Location, and the script will be displayed in the text box.

Troubleshooting

If there are errors when launching the PowerShell script, users can troubleshoot further by downloading the Shield Cyber MSI to the domain-joined Windows host, and perform the following commands one-by-one or together creating a PowerShell (.ps1) file and executing them together.
  1. Download the Shield Cyber Services MSI here: Shield Cyber Services MSI
  2. Run the commands below or save them to a PowerShell (.ps1) file to execute on the target hosts:
# OPTION FOR SCRIPTING - Set the execution policy temporarily for this process to ensure the script runs.  Users should not need to perform this step if they are executing the commands one-by-one.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Force

# Path to the MSI installer, assuming it is already in the designated location
$destination = "C:\Users\Public\Downloads\ShieldCyberServices.msi"

# Arguments for installing the MSI
$msiArguments = '/i "C:\Users\Public\Downloads\ShieldCyberServices.msi" SHIELD-LOCATION-NAME="CREATE-LOCATION" SHIELD_SUBSCRIPTION_ID="INSERT-SUBSCRIPTION-ID" SHIELD_SUBSCRIPTION_API_KEY="INSERT-API-KEY" INSTALL_ACTIVE_DIRECTORY="Yes" /quiet'

# Start the MSI installation
Start-Process msiexec -ArgumentList $msiArguments -Wait

# Sleep for ten seconds to ensure that installation processes have settled
Start-Sleep -Seconds 10

# Start the specified service, assuming it is correctly named in the script; adjust as necessary
Net Start ShieldCyber.Agent.AD.exe -Wait
Please update the file path location, as well as the SHIELD-LOCATION-NAM (user created value), INSERT-SUBSCRIPTION-ID (Subscription ID), and INSERT-API-KEY values within the script above
If there are additional issues, please send the errors received from these commands to support@shieldcyber.io.

Independent Service Installation

Alternatively, all Shield services can be installed by downloading the Shield Microsoft Installer (MSI) and launched directly on the Download the guided Shield MSI here and run as Administrator on a Windows host within the desired internal network. Once the MSI is downloaded and executed, you will be prompted to begin the installation:
Click next to decide where to install the files for the services:
On the next screen, you will need to select the services to install. The following services are available:
  • Active Directory: Active Directory collection module
  • Nessus: Nessus Professional integration service installation
  • Shield: Shield network scanner module
Select next to install all dependencies and proceed to the service configuration for the choices that were selected. Insert the following in the Active Directory service configuration:
  • Location Name: Name a location for the specific network where you will be deploying. This can be any value, however, it will need to be distinct for within each subscription. This should be the same value as the Shield scanner configuration within the next step.
  • Subscription ID: Insert the Subscription ID for where the scanner location should be created.
  • API Key: Enter the designated API key for the subscription. This value can be copied directly from the platform on the Subscriptions page.
Please note, users have the ability to regenerate the subscription API Key, however, once this is regenerated, the previous API Key(s) will no longer work. To re-connect any services utilizing old API Key(s), please modify the existing API Key and restart any deployed services.
Click next to proceed to input the credentials that the Active Directory service will run under the context of:
The credentials will need to be entered in the following format:
  • User Name: DOMAIN\Username
  • Domain: domain.local
  • Password: Password (If you are using a GMSA/MSA, this can be left empty)
Shield recommends setting up a group managed service account (GMSA) with limited permissions on the domain to run the Active Directory service. To view guidance on creating a GMSA, please review the following guidance from Microsoft here.
Click next to proceed to install all the Shield AD service and finalize the installation:
To verify that the Active Directory service installed correctly, you can open the services pane (Windows Key + run.exe and enter services.msc), and the Shield Cyber AD Agent should be running:

Results

Once the service is installed, the AD objects and risks associated with the objects should start to populate within the Identity Security module within the Shield platform.