March 2023

Installation and Configuration

Security Controls Connector 2023.1.1

Please note, from the 2021.3.1+ connector has changed extensively, and dashboards created in previous
versions will fail. All OOTB Dashboards have been re-created for the new version and the default folder is
now “Ivanti Security Controls”.

The Security Controls and ISeC connectors can both exist in the same datamodel.

Xtraction only queries the Security Controls database, it has no direct interaction with the application itself.
Be aware that the data returned in Xtraction may differ from what is represented in the Security Controls
Console. The reason for this is that not all actions in Security Controls are immediately updated in the
Security Controls database and data and values displayed may be calculated at runtime and not be the
result of database queries.

To configure the Ivanti Security Controls connection

1. Create a read-only user to the Ivanti Security Controls database.

2. Copy the provided Ivanti Security Controls data model file to the Data\Configuration directory, located by
default at:
C:\Program Files (x86)\Xtraction Software\Xtraction\Data\Configuration

3. On the Xtraction server, open the

Xtraction Data Model Editor program from the Start Menu

Click File > Open or Ctrl-O to open the file in the folder location mentioned above.

1
 March 2023

4. If you have an existing DataModel.dat file that you have already configured, and want to preserve the
existing connections, you will need to merge the provided Ivanti Security Controls (ISeC) data model into
DataModel.dat file using Copy Objects.

Note: You will need an Enterprise Server license to complete this step:

a. Click Tools > Copy Objects.

b. Right Click anywhere in the red outlined

area and Select Load External Data Model.

c. Navigate to the Data\Configuration location and

Select the provided Ivanti Security Controls data model file and Open

d. Expand the Data Model in the Copy Source (External File) screen to the Security Controls Datasource

e. Drag the Security Controls Datasource over to the Data Model in the Destination Screen

f. Click Yes to Confirm and then Close, the additional Security Controls Datasource is now visible

g. Click File > Save to complete the process

2
 March 2023

5. If you are not replacing an existing DataModel.dat file, just rename the existing file to be the DataModel.dat
file using File > Save As or Shift-Ctrl-S once you are done configuring.

6. Enter the connection details for the Ivanti Security Controls data model database.

a. Click Tools > Connection String Editor.

b. Click the Connection column next to the Security Controls data source.

c. Click the ellipsis (…) for the connection and enter the connection string properties
for the Security Controls data source.
Note: For SQL Authentication, enter User Id and Password. For Windows Authentication leave User
Id and Password blank and check the Integrated Security checkbox.

d. Click the Test button to validate that the connection can be made.

e. Be sure to save your updated DataModel.dat file by selecting File > Save or Ctrl-S. The file must be
named DataModel.dat. If renaming, use Save As.

7. Edit the Custom Fields if used:

a. Custom Fields are available in the following views:
- Machine
- All Windows Patching Views
- All Linux Patching Views
- Deployments

b. Open the Data Model Editor and File -> Open the DataModel.dat file in the Configuration
Folder.

3
 March 2023

c. Expand the Security Controls datasource, Expand the Machine View

- Double Click the Custom Table
- Double Click Custom 1, 2, 3 fields in turn

- Edit the Text field to the required value.

- DO NOT change the ID or Expression.
- Repeat with all other views in the datamodel
- Once Finished – File Save

d. Start Xtraction from any terminal and using an Admin login reload the datamodel
- The updated datamodel is available for all users.

8. The Security Controls Connector from 2021.3.1 onwards can show the current state of a machine as
per all scans. To do this there are additional tables required in the database as well as a scheduled
re-syncing of the data.
a. ie. Required patches may have been scanned, detected and installed at different times in
the machine’s lifecycle. The machine may only have been scanned for other patches
subsequently, these additional tables collate the last scan result for all detected patches, so
the complete machine health can be determined rather than just the status of a sub-group
of patches.

9. Run the “Script - Ivanti Security Controls Create Database Objects.sql” file against the Ivanti Security
Controls database, this will create all the required Stored Procedures and Tables automatically.

4
 March 2023

10. Run the “Script - Ivanti Security Controls Cumulative Patches.sql” file against the Ivanti Security
Controls database, this will insert details of all cumulative patch types.

11. If using any SQL Server edition apart from Express

(If using Express disregard and go to item 14.)

Run the “Script - Ivanti Security Controls Create Job Data Refresh.sql” on the Security Controls
database server, it requires an account and the database name to be entered.

This creates a job using the SQL Server Agent that syncs the latest data on an hourly basis, the time
period can be altered to suit individual needs.

12. The installation can be tested by executing the dbo. Xtr_UpdateData stored procedure, inserts,
updates and deletions are recorded in the xtrEntityProcessLog table.
Test the job by running it manually in the SQL Server Agent.

Installation complete

13. If using SQL Server Express

(Not required for any other edition)

SQL Express does not have the SQL Server Agent enable so it cannot be used to schedule the sync.

This will guide you in creating a scheduled job to run in Task Manager

- Copy the “Task - Ivanti Security Controls Sync Scheduler vxxxx.zip” file to a folder on the Server
which hosts the Security Controls database.
- Unzip the file to a C:\TEMP folder, create one if not already there
You will have the following files
o RefreshSecurityControlsSync.bat (Only one that needs to be edited)
5
 March 2023

o RefreshSecurityControls.sql
o CreateISeCSyncTask.ps1
o Script – Ivanti Security Controls Account Persmissions v202x.x.x.sql
- Open RefreshSecurityControlsSync.bat in a text editor such as notepad, adjacent are the areas
that will need some input.
- There are 2 lines that begin with sqlcmd, only one needs to be used. The top is used if Windows
Authentication is preferred option, the 2nd if SQL Authentication is to be used.

Items to be edited: (Note: Inputs are in plain text, no commas or quotation marks are used)

o Rem - Insert rem in front of the “sqlcmd” NOT to be used, this is short for remark and
anything on that line will be disregarded.
o YourSQLServerName – name of the SQL Server instance
o SecurityControlsDatabase – name of the Security Controls database, default is
SecurityControls but maybe anything
o If using Windows Authentication, un rem line 1, rem out line 2, save file and that is all
that is required.
o If using SQL Authentication insert a UserAccount that has at least read access to the
Security Controls database and the corresponding Password.
Leave line 1 rem in place and save file.

Note: If this account, (regardless of whether it is a domain account or SQL Account) has less than
full dbo rights to the Security Controls database, the
o Script – Ivanti Security Controls Account Persmissions v202x.x.x.sql
Script will need to be run against it. The script gives the account dbo rights to only the Tables and
Stored Procedures required by the Xtraction Sync process leaving the reduced permissions to all
Core Security Controls objects. Change the account name as required before running.

6
 March 2023

Option a. Automated Task Creation

- Run Powershell ISE as Administrator.

- File -> Open and navigate to “CreateISeCSyncTask.ps1” in the C:\Temp folder.
- Click on Run Arrow or Click shortcut key F5.
The blue Powershell screen will populate while it creates folders, tasks and copies across files.

- To check that everything has been set-up correctly, go to Task Scheduler

o Scroll down to the Ivanti / Security Controls / Reports folder and the “Xtraction ISeC
Sync” task should be there.
o Right click on the task and select Run
o Status of the job will appear after a short time or by manually refreshing

Presumptions:

- Installer has the rights to run Powershell as an administrator

7
 March 2023

The account used in the script is NT Authority\SYSTEM and it relies on

- NT Authority\SYSTEM having retained its default full access to SQL Server

- NT Authority\SYSTEM having retained its default full access to all folders

Option b. Manual Task Creation

- Create the required folders to have the following tree:

C:\Ivanti\Xtraction\ISeC Sync\Log
- Copy both “RefreshSecurityControlsSync.bat” and “RefreshSecurityControls.sql” into the
“ISeC Sync” folder
- Give the account that will run the Task in the scheduler, full read/write access to the folder
- Create a new Task in the Windows Task Scheduler with the following requirements
o Create a Folder Structure Ivanti / Xtraction / Security Controls Sync

Under the General Tab:

o Name – Something self-explanatory

o Description – Something self-explanatory
o User Account – SYSTEM (recommended)
▪ Run whether user is logged on or not – Checked
▪ Run with highest privileges – Checked
Note: Can be any Windows Account however the account must have
“Log on as batch job rights” as specified in Local Security Policy. To check, look in

Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a batch job

8
 March 2023

▪ Note: this account is the account that will log on to the Security Controls
database if Windows Authentication has been selected in the
“RefreshSecurityControlsSync.bat file”.
▪ Configure for: OS as required

o Triggers – Recommended Hourly / Indefinitely

o Actions – Start a program

▪ Navigate to the RefreshSecurityControlsSync.bat file
o Add Arguments – None Required
o Starts in – None Required

9
 March 2023

- To check that everything has been set-up correctly, go to Task Scheduler

o Scroll down to the Ivanti / Xtraction / Security Controls Sync folder and the “Xtraction
ISeC Sync” task should be there.
o Right click on the task and select Run
o Status of the job will appear after a short time or by manually refreshing

Installation complete

10
 March 2023

Troubleshooting:

- What should happen every time the task runs:

o A history log is created in the Task Scheduler

o A new log should be created in the “C:\Ivanti\Xtraction\ISeC Sync\Log”

folder with a date and time
o Each log should be around 33K in size

o A corresponding log with a similar timestamp in UTC should be made in the database

11
 March 2023

- In this example, there are logs in the Task History and Logs for 16.42.53 and 16.45.49 local time
but no sync for 05:45 in the database, local time here is GMT +11, adjust for your local.
The 16.42.53 sync ran as expected:
o There was a record in the Task History.
o A log was created at 16.43.
o The database synced without error at 05:43 UTC
- The 16.45.49 did not
o There was a record in the Task History at 16:45.
o The log for 16.45.49 is only 1KB in size which would also indicate an issue.
o There was no record in the database at 05.45 UTC.

Process
o Look for errors in the DB first
The xtrEntityProcessLog table returns data from the sync process:
o If there are errors in the syncing of data, they will appear here:

o Details of the error(s) can be seen in the xtrEntityProcessErrorLog table:

12
 March 2023

o if there is no record here, then the issue happened prior to the database sync being
initiated and attention should be directed to the bat file the Scheduler is calling.

- Navigate to the location of the “RefreshSecurityControlsSync.bat” file.

o “C:\Ivanti\Xtraction\ISeC Sync” folder by default

- Right Click to Edit in Notepad or another editor.

- Check the Server Name / Database / Creds (if using) are correct.
- Ensure the unused connection string has the work rem in front of it.

- Save any changes and Close the editor.

- If using SQL Authentication,
o Double click the bat file to run.
- If using Windows Authentication
o Holding down the SHIFT key, Right Click and Select Run as different user.
o Insert the credentials of the account running the task in Task Scheduler, if that account is
SYSTEM, use a different account that has at least dbo rights to the Security Controls DB.
▪ This is just trouble shooting exercise to determine the script is running correctly.
- A command prompt window should open and stay open for the duration of the sync, it should
not appear and disappear momentarily, this would indicate an error has occurred.
- Check the logs in the “C:\Ivanti\Xtraction\ISeC Sync\Log” folder, there should one there that
corresponds to the current date and time and should be approx. 33KB in size.
- If there is an error, open the log to determine the cause, most common errors will be:
o Cannot connect with the database
▪ Usually, the log will be around 1K.
▪ Check SQL Server service are running.
▪ Recheck the connection string details in the “RefreshSecurityControlsSync.bat”
file.
o Permission issues
▪ The log is usually around 31K and there is a message at the very end, similar to
the one below.

13
 March 2023

▪ Confirm the permission script was run successfully against the Security Controls
database, re-run if required for the account running the Task in the Windows
Scheduler.

- Assuming the script ran correctly and there is still no data being synced, the next thing to check
is Scheduled Task
o Scroll down to the Ivanti / Security Controls / Reports folder and the “Xtraction ISeC
Sync” task should be there.
o Right click on the task and select Run.
o Status of the job will appear after a short time or by manually refreshing.

- Potential Issues
o Account running the Task does not have full control access to the folder containing the
“RefreshSecurityControlsSync.bat” file.
o Account in Task should be set to Run With Highest Privileges.
o Task in some environments needs the following arguments added to the Action, copy
lines below and paste into the arguments text box.

-NoProfile -WindowStyle Hidden -command "& {get-eventlog -logname Application -After ((get-
date).AddDays(-1)) | Export-Csv -Path C:\Ivanti\Xtraction\ISeC Sync\Log\applog.csv -Force -
NoTypeInformation}"

14