4 Replies Latest reply: Nov 15, 2012 2:30 PM by philem RSS

    Inconsistent Access Type




      We have several Windows 2003 servers in our DMZ. All deployed the same way and we used the same script to create the admin account used by MVM to scan them. Technically, it should return the same Access Type value but it is not the case on all servers. Most of them would return 65546 but some would return 66314, 66315 and even 10 or 8?


      What could cause such inconsistency? Our support folks swear they didn't change anything on the servers. How could we check the differences between servers during a scan?


      We couldn't replicate the issue in dev. We tried deleting and creating the admin account in prod on the faulty servers, no success. We tried creating the account at different stage of the build process, before and after our hardening script, no luck either. We are using MVM 7.0.8

        • 1. Re: Inconsistent Access Type

          You can increase the logging level, and check the logs for specifics:


          HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

          [HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

          ** if the key "Tweaks" doesn't exist, create it. **

          LogWam DWORD Value 'ff'


          Rescan, and you can see exactly what access MVM got, and any failures too.



          • 2. Re: Inconsistent Access Type

            Hi Cathy,


            Thanks for your answer. I am assuming that I need that registry key on the server running MVM and not the 800 boxes that we are scanning. Right?

            • 3. Re: Inconsistent Access Type

              Hi philem,


              Yes, sorry I wasn't more specific.  Apply the tweak on the Engine that you run the scan from.  No need to restart any services.


              The daily log (~foundstone\logs\LogFile.<date>.txt)  will show very verbose info in regards to authentication, so you will want to disable it after you get the results.



              • 4. Re: Inconsistent Access Type

                Hi Cathy,


                So I compared logs from two Win2003 servers. The one with access type 65546, all scirpts run ok. The one with access type 10, I see two warnings at the beginning of the log:


                Warning (80070043): Could not connect to an administrator share; presuming not accessible.

                Warning (80070035): Could not connect to remote registry; presuming not accessible.


                Any idea what could cause this? Both servers have the same user in the loacal admin group.