Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2214 Views 4 Replies Latest reply: Nov 15, 2012 2:30 PM by philem RSS
philem Newcomer 3 posts since
Oct 10, 2012
Currently Being Moderated

Oct 10, 2012 8:47 AM

Inconsistent Access Type

Hi,

 

We have several Windows 2003 servers in our DMZ. All deployed the same way and we used the same script to create the admin account used by MVM to scan them. Technically, it should return the same Access Type value but it is not the case on all servers. Most of them would return 65546 but some would return 66314, 66315 and even 10 or 8?

 

What could cause such inconsistency? Our support folks swear they didn't change anything on the servers. How could we check the differences between servers during a scan?

 

We couldn't replicate the issue in dev. We tried deleting and creating the admin account in prod on the faulty servers, no success. We tried creating the account at different stage of the build process, before and after our hardening script, no luck either. We are using MVM 7.0.8

  • Community Leader 479 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Oct 10, 2012 5:37 PM (in response to philem)
    Re: Inconsistent Access Type

    You can increase the logging level, and check the logs for specifics:

     

    HKEY_LOCAL_MACHINE]\SOFTWARE\Foundstone\Foundscan\Tweaks] (for 32-bit host) or

    [HKEY_LOCAL_MACHINE]\SOFTWARE\Wow6432Node\Foundstone\Foundscan\Tweaks]  (for 64-bit host)

    ** if the key "Tweaks" doesn't exist, create it. **

    LogWam DWORD Value 'ff'

     

    Rescan, and you can see exactly what access MVM got, and any failures too.

     

    -Cathy

  • Community Leader 479 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Oct 29, 2012 1:32 PM (in response to philem)
    Re: Inconsistent Access Type

    Hi philem,

     

    Yes, sorry I wasn't more specific.  Apply the tweak on the Engine that you run the scan from.  No need to restart any services.

     

    The daily log (~foundstone\logs\LogFile.<date>.txt)  will show very verbose info in regards to authentication, so you will want to disable it after you get the results.

     

    -Cathy

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points