Auditing Windows Vista target computers using SecurityExpressions

Article:HOWTO8848  |  Created: 2008-04-18  |  Updated: 2008-05-13  |  Article URL http://www.symantec.com/docs/HOWTO8848
Article Type
How To




Question

How do I audit Microsoft Windows* Vista computers using SecurityExpressions?

Answer
Microsoft Windows Vista contains several security features that could potentially prevent SecurityExpressions from connecting to target computers running Windows Vista. User Account Control (UAC), which lets you change the security of a user belonging to the administrator group based on security policies, particularly impacts SecurityExpressions' ability to connect to Vista computers. By using optimal connection credentials and Windows Vista security settings, you can audit Windows Vista computers whether you audit on a domain or workgroup, or use an audit agent or not.

Note: The information in this article applies whether you're auditing from SecurityExpressions Console or SecurityExpressions Server. It also applies regardless if you're auditing on a schedule, interactively, or using Audit-on-Connect.

For specific instructions on how to perform any of the operations on a Windows Vista computer outlined in this article, check Microsoft's documentation.

Before you audit

Before you audit any Windows Vista computers, you must:

  • Make sure you can ping them.
  • If you plan to use a Built-In Local Administrator account as audit credentials, enable it.

Pinging Windows Vista computers

Windows Vista computers come from the manufacturer configured so you can't ping them from another computer over a network. You must be able to ping a Windows Vista computer to audit it. Before auditing any Windows Vista computers, make sure you can ping them through TCP/IP. If you can't ping a Windows Vista computer through TCP/IP, verify that File Sharing is turned on in the computer's Control Panel's Network and Sharing Center. If File Sharing is enabled on the computer and you're still unable to ping it, contact your network administrator.

Enabling the built-in Local Administrator account

If you plan to use a Built-In Local Administrator account as credentials to audit Windows Vista computers, you need to enable the "Accounts: Administrator account status" local security policy in Control Panel's Administrative Tools on each Windows Vista computer.

Audit scenarios

The conditions of a Windows Vista audit determine what you need to do to make sure the audit works. The audit scenarios are

  • On a workgroup, no agent
  • On a workgroup using an agent
  • On a domain, no agent
  • On a domain using an agent

On a Workgroup, no agent

If the Windows Vista computers you want to audit on a workgroup don't have the audit agent installed, you must:

  • Use a Built-in Local Administrator account or a Local Administrator Group account as your connection credentials.
  • Disable UAC on the Windows Vista computers.
  • Change the firewall settings on the Windows Vista computers to make an exception for file and printer sharing.
  • If you want to use Windows Management Instrumentation (WMI) rules, change the firewall settings on the Windows Vista computers to make an exception for WMI.

On a Workgroup using an agent

If the Windows Vista computers you want to audit on a workgroup have the audit agent installed, you must:

  • Use a Built-in Local Administrator account or a Local Administrator Group account as your connection credentials.
  • Change the firewall settings on the Windows Vista computers to make an exception for the port number the agent uses to communicate with SecurityExpressions. The port number is 9002.

On a Domain, no agent

If the Windows Vista computers you want to audit on a domain don't have the audit agent installed, you must

  • Change the firewall settings on the Vista computers to make an exception for file and printer sharing.
  • Use connection credentials that are compatible with the Windows Vista computers' UAC settings.

The following table shows the account types you can use as credentials in this scenario and how you need to adjust the UAC settings to use each account type.

 Credentials  To make it work
Built-In Local Administrator account works
Local Administrator Group account disable UAC
Domain Administrator Group account works

If you want to audit agentlessly using Windows Management Instrumentation (WMI) rules, you must change the firewall settings on the Vista computers to make an exception for WMI first.

On a Domain using an agent

If the Windows Vista computers you want to audit on a domain have the audit agent installed, you need to first change the firewall settings on the computers to make an exception for the port number the agent uses to communicate with SecurityExpressions. The port number is 9002.

When auditing through an agent, the audit ultimately runs under the agent-service logon user's credentials. The connection credentials set in SecurityExpressions are used to make contact with the agent, and then the agent performs the audit using the agent-service logon user's credentials. When you're auditing Windows Vista computers with the agent on a domain, the interaction between the connection credentials and the agent's credentials determine what the audit can accomplish. The following table shows the different combinations of account types possible in this scenario, and what the outcome of an audit would be. There are no workarounds for audit or rule failures.

Connection credentials (right)

Agent credentials
(below)

Built-In Local Administrator account Local Administrator Group account Domain Administrator Group account with rights to log on to the domain controller  Domain Administrator Group account without rights to log on to the domain controller
*account must belong to the local administrator group
Domain User account
*account must be in an access-control group that has an agent-access key set in the registry (see "Agent Access Groups" in the console application's help)
Local System works works works works works
Local Administrator Group account
*must disable UAC
works works works fails works
Domain Administrator Group account works works works works works
Domain User Group account works works, but some rules fail: RegAudit, FileAudit, PolicyAudit, ServiceAudit, Account Rights (all) works, but some rules fail: RegAudit, FileAudit, PolicyAudit, ServiceAudit, Account Rights (all) works, but some rules fail: RegAudit, FileAudit, PolicyAudit, ServiceAudit, Account Rights (all) works, but some rules fail: RegAudit, FileAudit, PolicyAudit, ServiceAudit, Account Rights (all)
Built-In Local Administrator account
*must enable the "User Account Control: Admin Approval Mode for the Built-in Administrator account" local security policy
works works works fails works


Legacy ID



41372


Article URL http://www.symantec.com/docs/HOWTO8848


Terms of use for this information are found in Legal Notices