Data Loss Prevention

Hello,

I'm seeing discovery scans fail in the first .1-.5 seconds of it starting for our main storage shares. The shares are mounted from a NetApp (assume it's called cbddata001) and no matter what the combination of AD service accounts, admin accounts and input of paths, DLP either comes back with Access Denied or Unknown error

Just a couple of failing examples:
\\CBDDATA001\shared\marketing
\\dc1xxx02\shared\marketing
\\dc1xxx02.acme.local\shared\IT
\\10.254.4.100\shared\engineering

Note: nslookup 'cbddata001' = dc1xxx02.acme.local & 10.254.4.100

However, I can successfully scan a basic Windows share on a server:
\\cbdapps01\data
\\cbdweb05\temp

Are there any things worth trying to get DLP auth and scan our main storage folders?

Forgive me for not supplying much techy detail for this question in depth. I'm still getting an understanding of our infrastructure. I have popped in a couple of screenshots up too.

Thank you
Dan

hello dan,

Did you check that when you connect on discover server you are able to access (and/or ping) these shared drives ?

regards.

Hi Stéphane, thanks for the reply.

When I log into the discover server, as my staff admin account, I can browse, map and ping \\CBDDATA001\ . If I try and map a network drive using service accounts they dont work.

net use \\cbddata001\shared /user:service-account@acme.local service-password

System error 1312 has occurred. (Or error 86 password incorrect)

A specified logon session does not exist. It may already have been terminated. (or error 86 the specified network password is incorrect)

But If we map to a windows server and not the NetApp it works ok. So it proves the password is ok.

Kind regards.

Dan

It appears to no like the netapp

hi,

check this article it may help you solving your issue :

https://support.symantec.com/en_US/article.TECH221119.html

 regards

Hi Stéphane,

I have checked one of the Discovery servers and am getting the Wintel engineer to check the rest but this one appears to be correct.

Cheers
Dan

hi,

Did you check that communication port from discover server to netapp are open :

Discover -> file share port 445 for CIFS/SMB

Discover -> file share port 2049 for NFS

You may also increase DLP log level (if possible) in order to get more information on this issue.

 Regards

Hi Stéphane,

The reply I got was:

"Discover -> file share port 445 for CIFS/SMB = Yes, it's open."
"Discover -> file share port 2049 for NFS = Not used."

Ill look at where to change the logging settings.

Cheers
Dan

Great success!

Our security GPO baseline was preventing the storage of creds for network auth. 

"Network Access: Do not allow storage of passwords and credentials for network authentication = Enabled". This setting was set to "= Disabled" to resolve.