Open-AudIT

What's on your network?
It is currently Fri Jan 19, 2018 9:32 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 
Author Message
PostPosted: Fri Jun 20, 2008 9:15 pm 
Offline
Newbie

Joined: Fri Jun 20, 2008 8:41 pm
Posts: 3
Hi

recently we have started to use Open-AudIT on our network and we have an issue with 2 machines. (Both Windowx XP Pro)
ok.....

The audit script is run from a scheduled task on a domain controller with a domain admin acocunt. All PC's audit fine and the software works great - except for 2 machines on our network, they lose all network conectivity, no shares can be accesed, no internet, no EMAIL... nothing the user has to re-boot to fix this issue.

This is what i have found, and now i am stuck.

Invoke the audit from the web interface for the machine in question from that machine. works
invoke the audit from another machine (mine) using the web interface. after 30 secs machine loses all network !

I have noticed that when the script audit is invoked, 2 TCP epmap ports are opened to my machine on the client (using RPC running with svchost.exe)
These ports close after the audit in all cases on all other machines- except on these 2 machines
One of the epmap ports is left open to my machine and this causes failure of all other network connectivity from this point on.

If i run a netstat -b to find the PID of the svchost holding this port open i can use kill.exe to close this port
This causes RPC to fail. and invokes a shutdown
I can abort this with a shutdown -a command
Then the RPC service can be restarted and hey presto... everything works again !!!

why is this happening ?

Once this has been done on the client, a Windows Script Host error appears on my machine

Script c:\Documents and settings\wbou\local settings\temporary internet files\content.IE5\LBG8S8GJ\open-audit-of-CMAN-to-itsupport.domainx.co.uk from-10.126.x.x[1].vbs
Line : 4228
Char: 1
Error : The RPC Server in unavailable
Code : 800706BA
Source:SWbemLocator

A programer in my office has lookd at this (no expert in vbs) but thought this area of the script (line 4228) is trying to look in the registry and maybe has access denied thats why it just hangs ?

I have given all users full admin rights over the PC in question
I have given everyone full access to the registry
I have even channged the user assigned to start the RPC service

still the same.... HELP.. why does this only happen on this machine !!!!

I am new to this product, but will try and provide anymore info if needed... any help apreciated!!


Top
 Profile  
Reply with quote  
PostPosted: Sat Jun 21, 2008 7:29 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
99% certain this is an issue with the network card drivers on the affected machines. Update them to the latest version from the manufacturers site, and try again.

Let me know if this fixes the issue.

BTW this should be in the support forum. Also I think there is a similar problem detailed there a while back, and I had a very similar issue with a bunch of identical NICs at one stage.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Mon Jun 23, 2008 11:03 pm 
Offline
Newbie

Joined: Fri Jun 20, 2008 8:41 pm
Posts: 3
Hi

Yeah sorry, noob in the forum, got the post in wrong section.

Right, Its an Asus MB with dual onboard Netgear NIC's, Having trouble with the Asus website downloading new drivers!
So have disabled the NIC's in the BIOS, and installed a good old Intel pro 100 PCI NIC.

However, i stil have the same issue with MS drivers, and the official Intel drivers from the web site.

The 2 machines affected are identical build, so a driver issue seams logical.

have retested forced audit to and from ultiple machine, but still only experiance this problem on these 2, the port does not close, something is hanging / keeping that port open ???

running local audit is ok, and verbos mode runs fine 2 ? (when forced localy)

still stuck !thanks for your help.

warren


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 24, 2008 8:58 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Maybe setup the audits locally as a scheduled task, or AT job.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jun 24, 2008 1:49 pm 
Are any events logged in Windows Event Log? Are these systems completely up to date on patches/hotfixes? Do they run any sort of firewall, intrusion detection system, etc?

Is there anything useful in this link: http://community.spiceworks.com/topic/578?


Top
  
Reply with quote  
PostPosted: Tue Jun 24, 2008 10:44 pm 
Offline
Newbie

Joined: Wed May 07, 2008 4:32 am
Posts: 42
99% Sure this is do to Windows Firewall being enabled, if you are auditing remotely offcourse :-)

_________________
Server Info:
OS : Windows 2003 SP2
Auditing: 1700 Machines
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 26, 2008 7:54 pm 
Offline
Newbie

Joined: Fri Jun 20, 2008 8:41 pm
Posts: 3
Hi,

thanks for replies.
I have upgraded as many drivers as posible, but the ASUS web site is constantly busy.
The PC runs XP SP 2, fully patched (WSUS in place)
Windows firewall is definatly disabled, not only is this forced from GPO (we are running a 2003 AD Domain) But i have manually enabled, and disabled the firewall to ensure this. No other sodtware is in place on machines in the Domain that would prevent access.
Users running the process are Domain Admins.

Event viwer shows no info (helpful) so this is a no go.

I can try and set the Audit to run on a shutdown script, as we shutdown all PC's at night, however at present it runs at 12:00 from a scheduled task on a DC.

Thanks Guys


Top
 Profile  
Reply with quote  
PostPosted: Fri Jun 27, 2008 8:22 am 
Do you have an GPOs that limit which executables can be run on the machine, or any other lock down policies?


Top
  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 8 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group