Audits run from Windows 2003 SP1 result in no audit data or criteria error

Article:TECH14117  |  Created: 2006-06-01  |  Updated: 2007-03-26  |  Article URL http://www.symantec.com/docs/TECH14117
Article Type
Technical Solution


Issue



When running an audit using Security Expressions Console, Audit Express,or Security Expressions Server, a similar error to the following appears in the audit results:

Error in criteria for rulelist 'Internet Explorer 5.01 (IE SP3)':
Criteria='(IE501 && IE SP3)' Error='Rule:IE501: 5: Access is denied.
Software\Microsoft\Internet Explorer\Version Vector IE' Machine

When running a scheduled audit, the Error, Info, OK, and NOT OK fields all show 0 in the results.


Environment



The Security Expressions Console, Audit Express, and/or Security Expressions Server is running on Microsoft Windows 2003 with SP1.

Cause



A custom program that uses the RegConnectRegistry function can no longer access the registry of a remote computer in Windows Server 2003 with SP1.


Solution



Microsoft has a knowledgebase article which addresses this issue with Service Pack 1 for Windows 2003 Server. This hotfix is included in Service Pack 2 for Windows 2003 Server, though you must still complete the instructions in the associated Microsoft KB to resolve this issue. Please refer to the following link for more information:

      http://support.microsoft.com/kb/913327

    1. Contact Microsoft in regards to this KB to obtain a copy of the hotfix

   2. Follow the instructions as outlined in the knowledgebase article

 To work around this issue, you may enter a set of valid credentials on the Altiris Security Audit Scheduler Service.

 Make certain that the credentials meet the following criteria:

     * The credentials must have the right to "log on as a service."

    * The credentials must have access to all target systems which will be audited by the scheduled job.

 Follow these steps to run the Altiris Security Audit Scheduler Service as a user account.

    1. Open Control Panel.

   2. Open Administrative Tools.

   3. Open Services.

   4. Right-click on Altiris Security Audit Scheduler Service.

   5. Select Properties.

   6. Select the Log On tab.

   7. Select the radio button labeled This account.

   8. Enter the username and password. Remember that domain usernames must be preceded by the <domain name>\.

   9. Restart The Service.

  10. Run the Scheduled Audit from your Security Expressions Product.

 


Legacy ID



23092


Article URL http://www.symantec.com/docs/TECH14117


Terms of use for this information are found in Legal Notices