Troubleshooting Network Audits

Error: "Class not registered" – Windows NT 4.0
 

Configure DCOM to allow remote connections.

• Run dconcnfg.exe from the Run prompt.
• On the "Default properties" tab, select "Enable Distributed COM on this computer".
• Set "Default Authentication Level" to "Connect".
• Set "Default Impersonation Level" to "Impersonate".
  

RPC Server Unavailable while auditing machines running Windows XP SP2 and Windows 2003 SP1

• Run the Microsoft Management Console on the XP/2003 machines – i.e. Start > run > mmc

• Add the "Group policy object editor" snap-in – i.e. File > Add/Remove snap-in > Add > Group Policy.

• Select the "Local Computer" or if you would like to change the policy for the Domain then "Browse…" and select "Default Domain Policy".

• Navigate to: [Group Policy Object] > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile (for a Domain administered network - Standard Profile for a Workgroup network).

• Edit the Setting: "Windows Firewall: Allow Remote Administration Exception".

• Set "Enabled".

• Set "Allow unsolicited incoming messages from:" to "localsubnet" (without the quotes).

• Apply the settings.

• These setting will not take effect immediately. To force immediate updates use the Microsoft Group Policy Update Utility: http://support.microsoft.com/kb/298444

Error: "Access Denied"

A) Verify DEP Settings

On the machines running Windows XP SP2 and Windows 2003 SP1, you will need to verify the DEP security settings.

        1. Open "Control Panel"

        2. Open "System Properties"

        3. Click on the "Advanced" tab

        4. Click on the "Settings" button for the "Performance" group

        5. Click on the "Data Execution Prevention" tab

        6. Make sure that DEP is enabled for essential Windows programs and services only.

B) DCOM Security settings

Under Windows 2000

        1. Select Start > Run.
 

        2. Type DCOMCNFG and then click "OK’.

        3. Select the "Default Security" tab.

        Go to the "Launch Permissions" section below.

Under Windows XP and Windows Server 2003

        1. Select Start > Run.

        2. Type DCOMCNFG and then click "OK".

        3. Expand the "Component Services" node.

        4. Expand the "Computers" node.

        5. Right-click on the "My Computer" node.

        6. Select "Properties".

        7. Select the [Default] "COM Security" tab.

Launch Permissions

• Under "Default Launch Permissions" (Windows 2000) or "Launch and Activation Permissions" (Windows XP and Server 2003) – ensure that at least INTERACTIVE, SYSTEM, and Administrators have "Allow Launch".

• Under "Default Access Permissions" (Windows 2000) or "Access Permissions" (Windows XP and Server 2003) only the following accounts should be listed:

Platform Account

• Windows 2000 -> None
• Windows XP (RTM and SP1) -> SYSTEM
• Windows XP SP2 and Windows Server 2003 -> SELF and SYSTEM
  

If the above Access Permissions settings have been modified, you need to make sure that at least INTERACTIVE, SYSTEM and Administrators have been explicitly granted "Access Permission". As an alternative you can export (for backup) and then delete the following registry key to restore the original default values:

HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

C) Default WMI DCOM Settings

Under Windows 2000

        1. Select Start > Run.

        2. Type DCOMCNFG and then click "OK".

        3. Select the "Applications" tab.

        4. Double-click on "Windows Management Instrumentation".

Verify the following settings:

• Under the "General" tab: Authentication Level = Default

• Under the "Security" tab: Launch Permissions = Default

• Access Permissions = Default

This is the end of the Windows 2000 settings. The remainder of this document concerns Windows XP and Windows Server 2003.

Under Windows XP and Windows Server 2003

        1. Select Start > Run.

        2. Type DCOMCNFG and then click "OK".

        3. Expand the "Component Services" node.

        4. Expand the "Computers" node.

        5. Expand the "My Computer" node.

        6. Expand the "DCOM Config" node.

        7. Right-click on "Windows Management [and] Instrumentation".

        8. Select "Properties".

Verify the following settings:

• Under the "General" tab:   Authentication Level = Default

• Under the "Security" tab:   Launch Permissions = Everyone

• Access Permissions = Default

D) Verifying Rights

Windows Server 2003 and Windows XP SP2

        1. Select Start > Run.

        2. Type "gpedit.msc" (no quotes) and then click "OK’.

        3. Navigate down to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

        4. Verify that the SERVICE account is specifically granted "Impersonate a client after Authentication" rights.

Verifying Service Settings

        1. Select Start > Run.

        2. Type "services.msc" (no quotes) and then click "OK’.

        3. Double-click on "Windows Management Instrumentation".

        4. Under the "General" tab verify that the Startup Type is set to "Automatic".

        5. Under the "Log On" tab verify that "Local System account" is selected.

Verifying Namespace Security

        1. Select Start > Run.

        2. Type "wmimgmt.msc" (no quotes) and then click "OK".

        3. Right-click on "WMI Control (Local)".

        4. Select "Properties".

        5. Select the "Security’ tab.

        6. Select the "Root" namespace.

        7. Click "Security".

Ensure that you have allowed the permission entries shown above.

Back to top

See Also:

Audit Current Workstation

Configure Discovery Schedule

Configure the Network Audit Service

Document Discovered Hardware

Document Discovered Software

Audit History

Audit By Login Script