cancel
Showing results for 
Search instead for 
Did you mean: 
philem
Level 7
Report Inappropriate Content
Message 1 of 5

Inconsistent Access Type

Hi,

We have several Windows 2003 servers in our DMZ. All deployed the same way and we used the same script to create the admin account used by MVM to scan them. Technically, it should return the same Access Type value but it is not the case on all servers. Most of them would return 65546 but some would return 66314, 66315 and even 10 or 8?

What could cause such inconsistency? Our support folks swear they didn't change anything on the servers. How could we check the differences between servers during a scan?

We couldn't replicate the issue in dev. We tried deleting and creating the admin account in prod on the faulty servers, no success. We tried creating the account at different stage of the build process, before and after our hardening script, no luck either. We are using MVM 7.0.8

4 Replies
Highlighted
cgrim
Level 13
Report Inappropriate Content
Message 2 of 5

Re: Inconsistent Access Type

You can increase the logging level, and check the logs for specifics:

HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

[HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

** if the key "Tweaks" doesn't exist, create it. **

LogWam DWORD Value 'ff'

Rescan, and you can see exactly what access MVM got, and any failures too.

-Cathy

philem
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Inconsistent Access Type

Hi Cathy,

Thanks for your answer. I am assuming that I need that registry key on the server running MVM and not the 800 boxes that we are scanning. Right?

cgrim
Level 13
Report Inappropriate Content
Message 4 of 5

Re: Inconsistent Access Type

Hi philem,

Yes, sorry I wasn't more specific.  Apply the tweak on the Engine that you run the scan from.  No need to restart any services.

The daily log (~foundstone\logs\LogFile.<date>.txt)  will show very verbose info in regards to authentication, so you will want to disable it after you get the results.

-Cathy

philem
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Inconsistent Access Type

Hi Cathy,

So I compared logs from two Win2003 servers. The one with access type 65546, all scirpts run ok. The one with access type 10, I see two warnings at the beginning of the log:

Warning (80070043): Could not connect to an administrator share; presuming not accessible.

Warning (80070035): Could not connect to remote registry; presuming not accessible.

Any idea what could cause this? Both servers have the same user in the loacal admin group.

-Dan

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community