We have several Windows 2003 servers in our DMZ. All deployed the same way and we used the same script to create the admin account used by MVM to scan them. Technically, it should return the same Access Type value but it is not the case on all servers. Most of them would return 65546 but some would return 66314, 66315 and even 10 or 8?
What could cause such inconsistency? Our support folks swear they didn't change anything on the servers. How could we check the differences between servers during a scan?
We couldn't replicate the issue in dev. We tried deleting and creating the admin account in prod on the faulty servers, no success. We tried creating the account at different stage of the build process, before and after our hardening script, no luck either. We are using MVM 7.0.8
You can increase the logging level, and check the logs for specifics:
HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or
[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks] (for 64-bit host)
** if the key "Tweaks" doesn't exist, create it. **
LogWam DWORD Value 'ff'
Rescan, and you can see exactly what access MVM got, and any failures too.
Yes, sorry I wasn't more specific. Apply the tweak on the Engine that you run the scan from. No need to restart any services.
The daily log (~foundstone\logs\LogFile.<date>.txt) will show very verbose info in regards to authentication, so you will want to disable it after you get the results.
So I compared logs from two Win2003 servers. The one with access type 65546, all scirpts run ok. The one with access type 10, I see two warnings at the beginning of the log:
Warning (80070043): Could not connect to an administrator share; presuming not accessible.
Warning (80070035): Could not connect to remote registry; presuming not accessible.
Any idea what could cause this? Both servers have the same user in the loacal admin group.