Scanning remote systems via VPN
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
Scanning remote systems via VPN - 1.Apr.2003 12:43:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
I have computers outside of my local Domain but connected via a VPN. I am getting information back when I scan a remote system but never any alerts or info regarding missing or installed patches. The firewalls on each end of the tunnel are wide open and nothing being logged about blocking ports or errors. Machines within the Domain come back ok with Alerts but nothing remotely in the VPN. I know the XP and 2000 Pro systems I am scanning are missing updates so I should be getting some of that back to update.
Here is some of the errors I am getting when I run a scan on a remote system:
Read server info ...
List trusted domains ...
List shares ...
List groups ...
--> Error (1722) The RPC server is unavailable
List users ...
--> Error (5) Access is denied
List services ...
--> Error (5) Access is denied
List sessions ...
--> Error (5) Access is denied
List network transports ...
--> Error (5) Access is denied
List drives ...
--> Error (5) Access is denied
Read remote time of day ...
Read password policy ...
--> Error (5) Access is denied
Connect to remote registry ...
--> Error (5) Access is denied
Check for missing patches ...
Check security audit policy ...
--> Failed to open policy on the remote system
|
|
|
|
|
RE: Scanning remote systems via VPN - 1.Apr.2003 5:41:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
First, what version of LNSS are you using?
Next, odds are that you are using current credentials under:
Scan > Options > Session Tab
and that that user does not have rights to gather any info from the machine you are scanning.
Either log on with an account that has rights or use the specific user under the Session Tab listed above. If you are already using a specific user change it to current user and login to that machine with a user that has rights. We have seen issues where it appears the machine has already created a connection between the scanning and the scanned machine and the user credentials do not matter because the underlying windows api calls ignore it and use the already created connection.
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 2.Apr.2003 11:25:00 AM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
I am using 3.2. I tried guest and administrator both of which available. Here is my session details:
[192.168.56.2]
SMB probing ...
Connecting ...(1/6)
Name "AZ056" encoded as "EBFKDADFDGCACACACACACACACACACACA"
Session established.(2/6)
Security mode : user
Protocol negotiated.(3/6)
Operating system : Windows XP
Domain : CHECKSMART
LAN manager : Windows 2000 LAN Manager
NULL session established.(4/6)
Connected to IPC$.(5/6)
No share list.
Establishing remote session (NT way) ...
Username : "administrator"
Session established OK.
|
|
|
|
|
RE: Scanning remote systems via VPN - 2.Apr.2003 12:05:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
YOu are getting this:
quote:
SMB probing ...
Connecting ...(1/6)
Name "AZ056" encoded as "EBFKDADFDGCACACACACACACACACACACA"
Session established.(2/6)
Security mode : user
Protocol negotiated.(3/6)
Operating system : Windows XP
Domain : CHECKSMART
LAN manager : Windows 2000 LAN Manager
NULL session established.(4/6)
Connected to IPC$.(5/6)
No share list.
Establishing remote session (NT way) ...
Username : "administrator"
Session established OK.
and then this:
quote:
Read server info ...
List trusted domains ...
List shares ...
List groups ...
--> Error (1722) The RPC server is unavailable
List users ...
--> Error (5) Access is denied
List services ...
--> Error (5) Access is denied
List sessions ...
--> Error (5) Access is denied
List network transports ...
in the same scan?
For XP scanning have you gone into the XP machine and turned on the old way of authentication.. I don't have any XP boxes around here so I can't walk through how to do this, but it has something to do with Guest account, sorry been too long.
We are working on an issue where if you specify a specific userid, there may be problems, since a connection is made with your current credentials and then windows keeps using those instead of what LNSS tells it to (at least that is the theory right now). Anyway, log on locally to the workstation you are running LNSS from with an account that has rights to the remote machine and see if you still have errors.
let me know
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 2.Apr.2003 2:37:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
The XP Pro remote system gives me those errors when I log on to the LNSS server with the same administrator account. I scanned a Win2000 pro remote system both ways and changed the session login and it worked with no errors. I even created a user on the XP system and scanned with that account and it still produced errors. It does seem that the remote XP systems are the problem here. I can however scan a local LAN based XP Pro workstation and that works fine with no errors. Would it be the case of an out of Domain remote XP station not being able to resolve the user name?
I will continue to mess with the settings on the remote XP machines to get this working. If you have any other ideas please reply! Thanks for your help, this is fun and I do like this application very well! Much potential here!
|
|
|
|
|
RE: Scanning remote systems via VPN - 2.Apr.2003 3:33:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
I set up a new XP pro system in the LAN and after joining the Domain it resolved in LNSS with no errors. I took it back to a workgroup and I got errors in LNSS. The remote XP systems are in their own workgroup and not part of the Domain back here because of VPN limitations. There has to be something in XP that can be set to work outside of Domain rights and resolution. Win2000 works so it can't be to far for XP to work.
Thanks
|
|
|
|
|
RE: Scanning remote systems via VPN - 2.Apr.2003 7:36:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
when you log on into the machine that is in the domain the username that is going to be broadcast and try to connect is:
domain\username
and
password
The problem is those machines that are not in the domain are not going to know who domain\username is, therefor you can't login.
This is under the assumption that the machine you are logging into you are logging in as a domain account and not locally.
The remote VPN machines I assume all have the same administrative password (or an account with administrative rights).
Following the above assumptions you need to login locally to the machine you are scanning from with the same username you use on the remote machines.
That make sense? Ultimately, you need to log in the the scanning machine locally, not into the domain, and you need log in using the same credentials as what is available on the remote machines that are not on the domain.
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 3.Apr.2003 12:00:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
I did exactly that. On the LNSS server I logged out of the Domain and back in under Administrator locally no password. On the remote XP Pro system it has the same login no password. So both systems at this point are logged in the same way. Infact, the XP pro system that is two feet from the LNSS server is doing the same thing logged in locally. I even unjoined the Domain on the LNSS server and joined the same workgroup name Checksmart and that still gives me the same errors. The session options do not matter either. I played with those as well.
The only way I can get the XP system to work is to join the Domain and then scan from the LNSS server logged in as well to the domain and everything works fine.
|
|
|
|
|
RE: Scanning remote systems via VPN - 3.Apr.2003 1:27:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
With the XP machine, as part of a workgroup have you gone in and changed the authentication feature to using the old method?
I'm not sure this is exactly what I'm thinking of, but here is a link to MS on it:
http://support.microsoft.com/default.aspx?scid=kb;en-us;302927
Bottom part:
Note that on Windows XP Professional computers that are not joined to a domain with simple file sharing enabled and on Windows XP Home Edition computers, all users are authenticated as guests.
There is a way to turn this off, but I can't remember currently. I think it may be as simple as disabling the guest account and the simple file sharing, but I don't have any XP boxes around here to check/try that on currently.
One KB article warning on this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;300489
I'm not sure that this is the issue you are having, but it is possible.
So lets start over (my brain is fried this week):
Site 1:
LNSS machine (3.2)
Domain Controller
2000 and XP Pro machines part of Domain
Site 2:
2000 and XP Pro machines NOT part of domain, but part of a workgroup.
Site 1 machines scanned by LNSS are fine, but site 2 XP machines give error 5 and a few other errors. But 2000 machines give full info based on:
quote:
Win2000 pro remote system both ways and changed the session login and it worked with no errors
With this info it sounds like it is the issue of the Guest account on XP causing the issues and simple file sharing.
I emailed off to someone to get the exact directions on turning that off, in a nutshell though it is turning on 2000 authentication on an XP box.
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 3.Apr.2003 4:05:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
I am a bit fried as well. I think we almost have this. I can't believe nobody else is having this issue but with the new version and people going to XP it will probably become more frequent though. You have the Site info correct. Site 1 consist of the LNSS server and the test XP pro system. Site 2 is only the XP system at the end of one of my VPN's. I have at least 80 XP pro systems out in my VPN so it will be important to get this resolved. Thanks for your help. I will continue to research the Guest account and enable options till this works.
|
|
|
|
|
RE: Scanning remote systems via VPN - 8.Apr.2003 10:02:00 AM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
Finally found/got what I was looking for from my friend:
Regarding Windows XP.
Have you changed the authentification style to classic ?
Run: secpol.msc
Security settings->Local policies->Security options->Network access: Sharing and security model for local accounts.
Change to classic instead of Guest only.
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 15.Apr.2003 3:41:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
Did all of that with the XP system still part of the workgroup and LSS still gives me the same errors and no alerts. The Guest account is enabled with a blank password including the Administrator account as well. I tried session options for both and it still gives me the following errors:
Username : "administrator"
--> Error (1326) Logon failure: unknown user name or bad password
Read server info ...
--> Error (5) Access is denied
List trusted domains ...
List shares ...
--> Error (5) Access is denied
List groups ...
--> Error (5) Access is denied
List users ...
--> Error (1326) Logon failure: unknown user name or bad password
List services ...
--> Error (1326) Logon failure: unknown user name or bad password
List sessions ...
--> Error (5) Access is denied
List network transports ...
--> Error (5) Access is denied
List drives ...
--> Error (5) Access is denied
Read remote time of day ...
--> Error (5) Access is denied
Read password policy ...
--> Error (1326) Logon failure: unknown user name or bad password
Connect to remote registry ...
--> Error (5) Access is denied
|
|
|
|
|
RE: Scanning remote systems via VPN - 22.Apr.2003 12:01:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
sorry, didn't see that this thread got updated until today.
First you'd have to be logged onto the machine running LNSS as a local account only, with the same username/password as you are using on the remote site, it shouldn't matter if that machine is still part of the domain or not, but logging in locally as administrator with the same password setup on the local machine as the remote is the best.
If that still doesn't work, about all I can say then would be to look at doing a packet capture, putting the XP machine back into classic mode should work unless something else is blocking or screwing up packets.
eric
|
|
|
|
|
RE: Scanning remote systems via VPN - 23.Apr.2003 2:59:00 PM
|
|
|
mwick
Posts: 15
Joined: 31.Mar.2003
Status: offline
|
If you look back I did do that. The LNSS server is logging in locally with Administrator and the XP station is doing the same. Both usernames have the same password as well. I even tried another XP system just in case my test system is messed up and it does the same thing. Logging the XP system into the domain and LNSS server to the domain does work. It's only when that XP system is in a workgroup and not in the domain as the LNSS server is is when I get all those errors.
|
|
|
|
|
RE: Scanning remote systems via VPN - 23.Apr.2003 4:27:00 PM
|
|
|
xnih
Posts: 2465
Joined: 30.May2001
From: Idaho
Status: offline
|
without a packet capture of the authentication between them I really couldn't say past what we have discussed already.
It would appear at first glance that either classic mode is not turned on on the XP boxes, or username/password is not correct. (either because LNSS is adding stuff to it before it leaves, MS workstation that you are on is adding to it, etc).
I know that if XP machines are not set to the classic mode of authentication and they are not in a domain, scanning them will not work because it will authenticate as the guest account, not as the credentials you try to use.
There could also be an issue with XP simple file sharing.
Will see if I can duplicate the issue here.
eric
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
