Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Oct 18, 2019 11:47 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
PostPosted: Mon Sep 17, 2007 9:20 pm 
Offline
Newbie

Joined: Fri Sep 14, 2007 10:08 pm
Posts: 3
I have set this system up to audit our WAN, although I had a problem at first getting it through the firewall. Initially I had 135 and 445 open however it still wouldn't get through the firewall to audit remote machines. After monitoring ports whilst running an audit, it turns out that Cscript was also trying to use 1126. After opening this port, all audits worked fine. I know that this isn't a problem as such, but I thought I'd put it here in case anyone else has the same problem


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 18, 2007 2:51 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I think this is used by WMI over SSL. I currently have another issue, which I think is probably domain policy related, but may be port related, and has only sprung up in the last week or so. I can no longer connect to WMI at all on machines which have up until now always responded.

I think there are a few possibilities.

1) One of my work mates has changed a GPO or Domain Policy and this has affected WMI
2) NOD32 (our new anti-virus software) has decided that the Open Audit VBScript is malware and is refusing to allow it to connect
3) Microsoft Updates have changed the default security for WMI
4) Some other event has knocked out WMI

I can open WMI on the affected boxes using the local manage option, and see everything I need, but when I try to connect via the LAN, I get connection refused. I even add myself to the WMI security on the box, still nothing.

The error looks like this (here I am just trying to manage one remote machine, named in audit.config. I am logged in as myself, a domain admin).

W:\htdocs\OpenAudit\scripts>cscript audit.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

No username and password provided - therefore assuming local domain PC.
W:\htdocs\OpenAudit\scripts\audit.vbs(216, 7) Microsoft VBScript runtime error:
Permission denied: 'GetObject'



Anybody else having this issue?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 18, 2007 8:47 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1964
Location: Brisbane, Australia
Odd. Maybe (and I know it is Domain Controlled), but try running the firewall_allow.vbs on an affected PC. Then try auditing, again. This might at least point us in a direction...

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 18, 2007 6:08 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I did think of that, but it is also affecting some w2k servers, which dont run XP firewall. By the same token, some of the XP boxes have the firewall turned off.
Its very strange, but seems to be tied down to one container in the Active Directory (hence my thought that someone has been messing about with domain policy)
Unfortunately the container in question has most of the machines in it!

Much head scratching so far, I will keep you posted. :?
(I can work around this problem as I can connect locally to WMi, and therefore I can audit from the login scripts, but thats not the way I want to do things).

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 18, 2007 7:35 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Further to the above... If I run the audit as the Administrator, (i.e. the Domain Account "Administrator") then it works fine, if I run it as me (a Domain Administrator) it doesn't so therefore something has changed regarding related to WMI security or perhaps connectivity.

Still searching.... :?

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 19, 2007 12:20 am 
Offline
Newbie

Joined: Wed May 25, 2005 5:11 am
Posts: 49
Location: Toronto, Ontario, Canada
You might also want to check the security settings on DCOM. Perhaps there was a group policy change or something that turned it off (or changed the Access permissions on it).

I noticed last week that certain machines here weren't running the audit.vbs script despite the fact that my account should have had full admin rights. The problem ultimately ended up being that these machines had DCOM turned off (perhaps originally set in an image used to set up these particular machines). I would pick an affected machine and then try the following:

control panel -> administrative tools -> Component Services -> Computers -> My Computer. Right-click on the 'My Computer' icon and select properties. Under the 'Default Properties' tab check to see if 'Enable DCOM on this computer' is checked. Also, you might want to check the Access permissions under the 'Com Security' tab.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 19, 2007 1:18 am 
Offline
Newbie

Joined: Fri Sep 14, 2007 10:08 pm
Posts: 3
In reply to my original post, My problem wasn't fixed at all. It worked temporarily but it looks like Cscript dynamically assigns a port from a certain range as it has tried another 3 since then. I do not really want to open up a whole range of ports so is there any way of getting cscript to use the same port every time?


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 19, 2007 4:17 am 
Offline
Newbie

Joined: Wed May 25, 2005 5:11 am
Posts: 49
Location: Toronto, Ontario, Canada
Apparently the problem is with DCOM selecting from a range of ports (WMI runs on top of DCOM)

http://www.myitforum.com/forums/m_14099 ... htm#140997

This page has some info on making DCOM work with firewalls:
http://msdn2.microsoft.com/en-us/library/ms809327.aspx


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 19, 2007 10:42 pm 
Offline
Newbie

Joined: Fri Sep 14, 2007 10:08 pm
Posts: 3
Thanks for that, although it hasn't made a difference. It's still using random ports. Back to square 1.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 19, 2007 11:27 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
mattblack_uk2002 wrote:
Thanks for that, although it hasn't made a difference. It's still using random ports. Back to square 1.


Can you run the audit from a machine which is on the other side of the firewall, and post the data back to the web server. After all, the audit script only needs to be able to pass port 80 back to the web server. This method also has the advantage that you probably don't need to open anything new on your firewall.

The script can be run from any pc, so long as the audit.config file which goes with it, contains the URL of the web host, and that URL can be seen from the PC in question.

If you want to NMAP a network, this works better if the nmapping pc is on that network, because then you will also be able to see mac addresses (the mac layer wont be seen if you NMAP from a remote subnet).

I am working on adding the ability to allow the script to pick up all of its config from the web host. That way we can have one script, and run it from anywhere, its actions being determined by the location from which it is run.

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 03, 2011 4:56 pm 
Offline
Newbie

Joined: Fri Dec 31, 2010 3:45 pm
Posts: 1
I cant get mandriva linux working on my pc? I tried to install mandriva linux on my pc, and it doesn't finish starting up. and it freezes. But when i install it on my old pc it works fine. then i thought it might be the processors. my new pc is a amd, and my old pc is intel. is there a mandriva one linux for amd processors?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group