...
Code Block |
---|
\HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Script\Settings |
Windows 7 and 2008 R2 not submitting audit using HTTPS
...
...
Enabling the Administrator account on non-Domained machines
Open a command prompt with administrative rights (Windows key, type 'cmd' (sans quotes) right click Command Prompt and select Run as Administrator.
In the command window type
Code Block | ||
---|---|---|
| ||
net user Administrator |
You should see Active set to false. Enable it with
Code Block | ||
---|---|---|
| ||
net user Administrator /active:yes |
Then run the first command again and confirm Active is now set. Then set the password with:
Code Block | ||
---|---|---|
| ||
net user Administrator * |
And type 'exit' to close the window.
Windows 7 and 2008 R2 not submitting audit using HTTPS
We have been advised that some Windows 7 and Windows 2008 R2 machine will not submit their audit result to the Open-AudIT server when running HTTPS. If this affects you , please see the following Microsoft article - https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
...
Code Block |
---|
C:\Users\opDev>wmic /user:YOUR_DOMAIN\YOUR_USERNAME /password:YOUR_PASSWORD /node:YOUR_IP os get name Name Microsoftr Windows Serverr 2008 Enterprise |C:\Windows|\Device\Harddisk0\Partition1 |
If the response is: Description: RPC Server is unavailable, then you have a firewall or other issue.
If the response is: Description: Access Denied Facility = Win32 then the credentials that were supplied don't have Windows DCOM permissions on the Target machine.
If the response is: Description: Access denied Facility = WMI then the credentials that were supplied don't have WMI Security permissions on the Target machine.
Matching Discovery Logs to WMI issues
If you see the below, try the following fixes.
ERROR: Failed to open connection - NT_STATUS_LOGON_FAILURE
Check your credentials and that they are of a machine Administrator account.
ERROR: Failed to open connection - NT_STATUS_CONNECTION_RESET
Likely from our attempt to use SMB1, which the target Windows PC no longer accepts.
ERROR: Failed to save ADMIN$/winexesvc.exe - NT_STATUS_ACCESS_DENIED.
Are the ADMIN$ and IPC$ shares enabled? Check as below.
ERROR: UploadService failed - NT_STATUS_ACCESS_DENIED.
Are the ADMIN$ and IPC$ shares enabled? Check as below.
ERROR: Failed to install service winexesvc - NT_STATUS_ACCESS_DENIED
This most likely means the user account being used does not have sufficient rights on the target machine. To fix this issue, see the section above on this page for UAC.
ERROR: StartService Failed - NT_STATUS_ACCESS_DENIED
We are still investigating possible causes for this issue. It appears that the winexesvc.exe file has been copied to the target and the service registered, however it fails to start. This may be Antivirus related. We are unsure at this stage.
Winexe requirements (Linux only) on Windows machines
Enabled services: Workstation, Server.
"Windows Network" is running and "Printer and File Sharing" are activated.
Enabled "Remote IPC" and "Remote Admin" shares. To verify it, in cmd box run command "net share", and check if there are ADMIN$ and IPC$ shares.
An account with administrative privileges and not empty password. If Windows machine is not on a domain, it is best to use the Administrator account (see above).
Firewall rules allowing traffic between both machines.
AntiVirus
Some antivirus programs have been known to disable DCOM and remote WMI. You might check the settings of your antivirus program and disable them for testing. We recently had a report of Trend AV specifically blocking calls to winexesvc when auditing Windows computers.
...