Audits run from Windows 2003 SP1 result in no audit data or criteria error
|Article:TECH14117|||||Created: 2006-06-01|||||Updated: 2007-03-26|||||Article URL http://www.symantec.com/docs/TECH14117|
When running an audit using Security Expressions Console, Audit Express,or Security Expressions Server, a similar error to the following appears in the audit results:
Error in criteria for rulelist 'Internet Explorer 5.01 (IE SP3)':
Criteria='(IE501 && IE SP3)' Error='Rule:IE501: 5: Access is denied.
Software\Microsoft\Internet Explorer\Version Vector IE' Machine
When running a scheduled audit, the Error, Info, OK, and NOT OK fields all show 0 in the results.
The Security Expressions Console, Audit Express, and/or Security Expressions Server is running on Microsoft Windows 2003 with SP1.
A custom program that uses the RegConnectRegistry function can no longer access the registry of a remote computer in Windows Server 2003 with SP1.
Microsoft has a knowledgebase article which addresses this issue with Service Pack 1 for Windows 2003 Server. This hotfix is included in Service Pack 2 for Windows 2003 Server, though you must still complete the instructions in the associated Microsoft KB to resolve this issue. Please refer to the following link for more information:
2. Follow the instructions as outlined in the knowledgebase article
* The credentials must have access to all target systems which will be audited by the scheduled job.
2. Open Administrative Tools.
3. Open Services.
4. Right-click on Altiris Security Audit Scheduler Service.
5. Select Properties.
6. Select the Log On tab.
7. Select the radio button labeled This account.
8. Enter the username and password. Remember that domain usernames must be preceded by the <domain name>\.
9. Restart The Service.
10. Run the Scheduled Audit from your Security Expressions Product.
Article URL http://www.symantec.com/docs/TECH14117