Can't scan Windows 7 from Windows XP (SP Pro)

General support questions for the Secutor Prime product.
maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Can't scan Windows 7 from Windows XP (SP Pro)

Postby maxhavoc » Fri Feb 11, 2011 9:53 am

I am trying to do a USGCB scan on a Windows 7 workstation from a Windows XP workstation and I always get an "Unable to authenticate" error. I know the username/password is correct and I can scan other XP systems just fine.

The Windows 7 system has no firewall
Network access: Sharing and security model for local accounts is set to Classic - local users authenticate as themselves
LAN Manager Authentication level is set to Send NTLMv2 refuse NTLMv1/LM on both systems
Microsoft network client: Digitally sign communications (always) is disabled on the XP system

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Fri Feb 11, 2011 8:46 pm

One thing you may need to check is that the registry value LocalAccountTokenFilterPolicy exists and is set to "1".

For a for list of remote authentication requirements, refer to the post

http://forums.threatguard.com/viewtopic.php?t=20


Another thing to try is adding the domain name or machine name of the target.

Sometimes it is easier to check validation by using the Windows File Explorer to mount the administrative share from the target machine (usually C$). Whichever account works for that is exactly what you will need to use in Secutor Prime to authenticate.

Even better, mount an administrative share from a console using the "NET USE" command -- that often gives better feedback on why a connection is failing.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Tue Feb 15, 2011 1:47 pm

I set the registry value you mentioned, it didn't help. I went through every setting in the forum post you mentioned before I posted for help so nothing there solved the problem.

I can net use to C$ without problem. I can also RDP to the system without issue.

I don't know what you mean by "adding the domain name or machine name of the target". Adding it to what?

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Feb 15, 2011 2:09 pm

Depending on the domain memberships (or lack thereof) for both the local and remote machine, you may need to specify the domain name (or the machine name if it is not in a domain -- usually the IP address will also work in that case) as part of the authentication credentials.

If you found it necessary to do this to establish a Remote Desktop (RDP) or file share connection, do exactly the same thing from Prime.

For example, if you are authenticating as "administrator" and the target machine is a member of the "MULE" domain, enter the account name in the Prime login prompt as "MULE\administrator" -- or enter the domain and account name in the separate Domain and Account text fields. Either approach will work.

Conversely, if you are able to mount an administrative share without specifying the domain name of the target machine, then do the same from the Prime login prompt.

Finally, be certain the account you are logging on with has local admin rights on the remote target machine. If it does not then the login attempt will fail.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Wed Feb 16, 2011 9:34 am

Both systems are on the same domain. The account I'm using is in the administrator group on the remote system.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Wed Feb 16, 2011 9:46 am

Are you using the domain name as part of the account name or not? Be sure to try it both ways.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Thu Feb 17, 2011 12:34 pm

I put the domain name in the domain text box. I also tried without it. Neither work, both give the same error.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Thu Feb 17, 2011 1:37 pm

Well nuts, this is getting a bit mysterious. We regularly do this from XP to Windows 7 in a variety of combinations of domain membership (and not), and in a variety of states, up to and including full FDCC/USGCB compliance (with the exception of those changes necessary for remote NetBIOS authentication).

Secutor Prime actually invokes the underlying Windows authentication mechanism to establish the NB connection, the same one invoked when you do a NET USE, so if that works then the same credentials should work from Prime.

Still, there are a few things you can try to track down what the difference is:

1) Do a "NET USE" and see if there are any existing connections already established between the two machines. Do a "NET USE /DELETE" on any that are there and then try connecting from Prime again.

2) Rather than putting the domain name in the domain text box, put it in the account text box in the form "DOMAIN\Account". Also try using the IP address of the target in place of the domain name.

3) If the account name or password has special characters, try (temporarily) changing the password to something with no special characters, just in case there's a character encoding bug on our part or a mismatch of charsets between the two machines.

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Thu Feb 17, 2011 1:50 pm

And I should add that we just put out Version 4 of Secutor Prime. Some of the changes in there might just help you out. You can do the update either by downloading the update installer from

http://threatguard.com/downloads


or just use the auto-update mechanism built into Prime (Help --> Check for updates).

FYI, when upgrading from Secutor Prime v3 to v4 you will need to do a second update after downloading, installing, and restarting Prime. This will only need to be done once when upgrading from any v3 to v4 version.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Fri Feb 18, 2011 8:14 am

I tried upgrading from v3 to v4 which didn't help.
I've always been using the IP address so that's not the problem.
I tried putting the domain in the account name field and that didn't help.
I tried using a local account with no special characters and I get a different error message: "Service not available or insufficient permissions". (This is an administrator account).

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Fri Feb 18, 2011 9:07 am

When you say you always use the the IP address, do you mean when specifying the machine to connect to?

What I'm referring to in this context is to try using the IP address not just for which target to connect to, but also in place of the domain name, such as

216.154.253.189\Administrator


Also, if you run "NET USE" on the local XP machine, does it show any existing mounts to the Windows 7 machine?

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Fri Feb 18, 2011 3:39 pm

Following up on this further, as we try to recreate what you are reporting, I can say you can ignore the part about using NET USE to see if any other SMB mounts are already active between the two systems. The current release of Prime correctly accounts for that possibility.

However, we do see one thing that fits with your symptoms, which is the existence of the registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy with a DWORD value of 1 must exist.

Be careful with this one. On a 64-bit Windows 7 system you will need to be sure you are creating this value in the 64-bit part of the registry and not the 32-bit compatibility section. Be positive that you are using the 64-bit version of regedt32, otherwise you'll be trapped in the 32-bit section and won't be know it.

The other thing to watch for is the correct path to that registry value. The HKLM\SOFTWARE\Microsoft registry path has both Windows NT and Windows keys. The correct path is under Windows. Also be sure that the value type you create is a DWORD.

With that simple change, all of our Windows 7 targets work correctly.

maxhavoc
Contributor
Posts: 10
Joined: Thu Feb 10, 2011 8:34 am

Postby maxhavoc » Tue Feb 22, 2011 8:15 am

The Windows 7 system is 32-bit and the LocalAccountTokenFilterPolicy value was already set to 1.

I tried putting the IP address before the username and that didn't help.

Is there a way to get more a detailed error message? Something a tad more helpful than "unable to authenticate"?

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Feb 22, 2011 11:07 am

Unfortunately, at the point of failure, it's the Microsoft authentication call that is failing, so there really isn't an immediate way to get more detailed information back to the application.

However, since the authentication is actually handled by the Windows OS you should be able to use the Event Log (on both the local and remote machines) to see if any more specific information is available.

We will look to see if there is a way to provide more specific information in the application and work that into the next product update cycle.

Referring back to the post where you tried a different account, the message from that attempt indicates that the login succeeded, but that the account you were using did not have sufficient permissions to perform the assessment.

That means that the local and remote machines are set up correctly for remote assessments, and the problem lies in the accounts being used. The second you mentioned is an administrator, but got a message indicating insufficient permissions. That probably means it does not belong to the local administrators group on the remote machine. This is determined directly by attempting to open the HKLM registry hive. This particular action can be logged in greater details by checking "Enable native debug logging" in the Assessment Settings. Be sure to turn this off when you are done. The native actions will be logged to the file "logs/windows_native.dbg".

For the first account, since the second can authenticate, you know that your machines are set up correctly, but there's something about the account that is incorrect -- it's not an interactive account, the password is incorrect, the profile for the account does not exist, the domain controller is unreachable, the account is locked out...


Return to “Secutor Prime Support”

Who is online

Users browsing this forum: No registered users and 1 guest