Computer Network Defense – Operating System Environment ... · PDF fileComputer Network...

FOR OFFICIAL USE ONLY


Computer Network Defense (CND) – Afloat (A)

Computer Network Defense – Operating System Environment (CND-OSE) 1.3

Troubleshooting Guide v1

05 May 2014

Prepared by:

SPAWAR Systems Center Pacific (SSC Pacific) Code 58210

53560 Hull Street San Diego, CA 92152-5001

THIS DOCUMENT CONTAINS INFORMATION EXEMPT FROM MANDATORY DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT.

EXEMPTIONS 1 AND 5 OF THE ACT, 5 U.S.C § 552(B)(1), (B)(5) (2000) & DOD REGULATION 5400.7-R § C3.2.1.5.1.6 APPLY. OTHER REQUEST FOR THIS DOCUMENT MUST BE REFERRED TO:

COMMANDING OFFICER SPACE AND NAVAL WARFARE SYSTEMS CENTER CODE 85300 SAN DIEGO, CA 92152-5001


CND-OSE 1.3 Troubleshooting Guide v1 05 May 2014

FOR OFFICIAL USE ONLY Page 2 of 72

DOCUMENT REVISION HISTORY Date Modified CND-

OSE Version

Doc Version No.

Modifier Name Description

05 May 2014 1.3 1 Alan Godwin Replaced SCCVI with ACAS-Scanner




CHANGE LOG FOR 05 MAY 2014 Page Description All Modified document in full for the implementation of ACAS VM and the removal

of SCCVI. Removed all applicable references to the SCCVI VM.




TABLE OF CONTENTS 1 ISEA CONTACT INFORMATION ................................................... 8

2 TIPS, TRICKS, AND ISSUES WITH ESX ....................................... 8

2.1 MANUAL ESX SERVER INSTALLATION PROCEDURES ...................................................... 8 2.2 REINSTALLING ESX SERVER WHILE PRESERVING VIRTUAL MACHINES ......................... 9 2.3 TIPS AND TRICKS ........................................................................................................... 10

2.3.1 Manual ESX Networking........................................................................................... 10 2.3.2 Advanced Network Configuration............................................................................. 10 2.3.3 ESX Server Commands for Troubleshooting Blade Installation .............................. 11

2.4 ISSUES ............................................................................................................................ 11 2.4.1 System won’t boot: Grub Loading Error 15 ............................................................. 11 2.4.2 Software Compatibility Issues with NICs ................................................................. 13 2.4.3 Network Interface Card may need to be statically set to the speed of the router ..... 13 2.4.4 Server Does Not Boot................................................................................................ 13 2.4.5 Can’t ssh into the ESX system ................................................................................... 13 2.4.6 TAG Installation: ‘No Hard Drives Have Been Found’ ........................................... 14 2.4.7 Can’t Log into the vSphere Client After Obtaining DoD PKI Certificates .............. 14 2.4.8 Virtual Machine Appears as Invalid ......................................................................... 16 2.4.9 Cannot synchronize ESX server to ship’s time server .............................................. 16 2.4.10 Unable to connect to a Virtual Machine (Timeout) .............................................. 17 2.4.11 Unable to connect to a Virtual Machine (Failed to connect to server) ................ 18 2.4.12 Locked out user or root account ........................................................................... 18 2.4.13 vSphere client install fails (Microsoft J#) ............................................................. 19

3 TIPS, TRICKS, AND ISSUES WITH HBSS ................................... 19

3.1 TIPS AND TRICKS ........................................................................................................... 19 3.1.1 General Tips.............................................................................................................. 19 3.1.2 Removing the HBSS Products and Agent using ePO ................................................ 20 3.1.3 Manually Removing the HBSS Products and Agent from a Local Windows System 24 3.1.4 Removing the HBSS Products and Agent from non-Windows systems (LINUX, Mac, Solaris, HP-UX, and AIX) ..................................................................................................... 28 3.1.5 McAfee Status Window ............................................................................................. 29 3.1.6 Manually adding the HIPS module to local workstations ........................................ 29 3.1.7 Installing HIPS and McAfee Agents on an Image .................................................... 30 3.1.8 Redirecting the communication of a Windows McAfee Agent 4.x to a new ePO 4.x server 30 3.1.9 Redirecting the communication of a Linux McAfee Agent to a new ePO server ...... 31 3.1.10 HIPS - Learn Remote IP address for Adaptive/Learn mode Firewall Rules ........ 32

3.2 ISSUES ............................................................................................................................ 33 3.2.1 ePO Issue with Importing Domain Information ....................................................... 33 3.2.2 HBSS Agent Push Issues ........................................................................................... 33 3.2.3 Unable to Log into ePO Console .............................................................................. 33




3.2.4 Forgot ePO Console Password ................................................................................ 35 3.2.5 Assets are not communicating with the HBSS Server ............................................... 36 3.2.6 Trouble Importing ePO Policies ............................................................................... 37 3.2.7 HIPS Events Not Purging ......................................................................................... 37 3.2.8 File Integrity Events Not Purging ............................................................................. 38 3.2.9 DLP Monitor Events Not Purging ............................................................................ 38 3.2.10 COMPOSE Servers trigger UDP Port Scan and TCP Port Scan ........................ 38 3.2.11 Continuous Reboot Prompt During HIPS Install ................................................. 39 3.2.12 DLP Policy will not Load on Workstations .......................................................... 39 3.2.13 HBSS is controlling/updating the Symantec Antivirus.......................................... 39 3.2.14 HBSS PKI Certificates are not working................................................................ 40 3.2.15 HIPS Firewall learn remote IP during adaptive mode ......................................... 41 3.2.16 Rogue System Sensor not reporting back to ePO server ...................................... 41 3.2.17 ISA Server (DC02) cannot communicate with HBSS ............................................ 42 3.2.18 HBSS VM is running extremely slow (100% CPU usage) .................................... 42 3.2.19 DLP Outlook add-in causes Microsoft Outlook error .......................................... 42 3.2.20 NCDOC Roll-up is failing ..................................................................................... 43 3.2.21 COMPOSE 4.x TMG Server “blue screens” after pushing HIPS ........................ 45 3.2.22 Cannot Remove the Default ePO key .................................................................... 45 3.2.23 Cannot Transfer Files Needed for Manual Deployment of McAfee Agent ........... 45 3.2.24 RSD Becomes Passive on Domain Controller ...................................................... 46

4 TIPS, TRICKS, AND ISSUES WITH ACAS-SCANNER .............. 47

4.1 TIPS AND TRICKS ........................................................................................................... 47 4.1.1 Additional Resources ................................................................................................ 47 4.1.2 How to verify scan results contain all available hosts ............................................. 48 4.1.3 How to determine available bandwidth to NOC Security Center ............................. 49 4.1.4 How to check if Security Center is connecting to the Scanner ................................. 50 4.1.5 How to monitor Scanner plug-in updates ................................................................. 50

4.2 ISSUES ............................................................................................................................ 50 4.2.1 Cannot Perform a Deep Scan ................................................................................... 50 4.2.2 Cannot perform Deep Scans with UAC Enabled on Windows Vista, 7, 2008 .......... 51 4.2.3 ACAS Scanner cannot login to switch during scans ................................................. 51 4.2.4 ACAS Scanner cannot login to router during scans ................................................. 53 4.2.5 Report includes hosts that are no longer on the network* ....................................... 54 4.2.6 SCAP scanning returns no results ............................................................................ 54 4.2.7 HBSS Policy fails to import stating invalid or read only policies ............................ 55 4.2.8 HBSS fails to install deployment task modules ......................................................... 55 4.2.9 BackupExec Server fails to connect to BackupExec Agent on ACAS-scanner ......... 56 4.2.10 BackupExec Agent reported Failed during installation ....................................... 57 4.2.11 Backup of ACAS-scanner Completes with Exceptions .......................................... 58

5 TIPS, TRICKS, AND ISSUES WITH MSSQL ............................... 59

5.1 ISSUES ............................................................................................................................ 59 5.1.1 MSSQL Maintenance Plan Fails .............................................................................. 59




6 TIPS, TRICKS, AND ISSUES WITH BACKUPS .......................... 61

7 MISCELLANEOUS TIPS/TRICKS/ISSUES .................................. 64

7.1 KVM USB / PS/2 MODE ............................................................................................... 64

8 USEFUL TROUBLESHOOTING COMMANDS ........................... 64

8.1 NET USE ........................................................................................................................ 64 8.1.1 Net use command syntax:.......................................................................................... 64 8.1.2 Net use command parameters:.................................................................................. 64 8.1.3 Net use command Remarks: ...................................................................................... 66 8.1.4 Net use Command examples ..................................................................................... 66

8.2 NSLOOKUP ..................................................................................................................... 66 8.2.1 Nslookup Command Syntax ...................................................................................... 66 8.2.2 Nslookup Command examples .................................................................................. 68

8.3 REMOTE DESKTOP ......................................................................................................... 68

9 3RD PARTY TOOLS ....................................................................... 69

9.1 PSEXEC ........................................................................................................................ 69 9.1.1 Pushing out HBSS agents via PSEXEC .................................................................... 69 9.1.2 PSEXEC Syntax ........................................................................................................ 70 9.1.3 PSEXEC Examples.................................................................................................... 71




Page Intentionally Left Blank




1 ISEA Contact Information In-Service Engineering Agent (ISEA) Tactical Networks ISEA Fleet Support Desk COMM: 1-877-41-TOUCH (OPTIONS 2, 3, 1, 1) DSN: 510-4-2-TOUCH (OPTIONS 2, 3, 1, 1) [email protected] / [email protected]

2 Tips, Tricks, and Issues with ESX 2.1 Manual ESX Server Installation Procedures Overview: In the event that the kickstart script is not available, perform the following manual ESX server installation procedures. Steps:

1) With the CND-OSE DVD 1 in the DVD drive, power on the server and boot from the DVD.

2) Select Install ESX in GUI mode (Standard) to start the Graphical installer. 3) At the Welcome screen click Next. 4) Check the box to Accept the VMware license agreement. Click Next. 5) US English should be selected as default. If not, select your keyboard and click Next. 6) Custom drivers go beyond this guide; contact ISEA for assistance if requiring custom

drivers. Click Next. 7) At the Load Drivers popup window click Yes. 8) Click Next when drivers load 100%. 9) Ever the serial number found in the ILS package, otherwise select Enter a serial

number later and click Next. 10) Leave the default settings for the Network Configuration and click Next. 11) Leave the default DHCP settings for the Network Configuration and click Next. 12) Select the default Standard setup and click Next. 13) Leave the default ESX Storage Device and click Next. 14) At the popup window, if the check box to persevere vmfs partition is available

uncheck, and click OK. 15) Select the correct Time Zone and click Next. 16) If connecting to a COMPOSE environment select Automatically and enter

distroserver as the NTP Server, otherwise set the time manually and click Next. 17) Enter the root password, the standard for CNDOSE load is mko0(IJNmko0(IJN, and

click Next. 18) At the Summary window click Next. 19) A progress bar shows the status of the installation. Approximate time is 10 minutes.

Click Next when complete. 20) Click Finish the DVD will eject and ESX will reboot.

mailto:[email protected]

mailto:[email protected]




21) Press Alt+F1 and login as root. 22) Re-insert the CND-OSE DVD. 23) Type at the prompt: mount /dev/cdrom 24) Type at the prompt: sh /mnt/cdrom/VMware/VMconf/esxconf.sh 25) When the prompt returns type: eject 26) Type at the prompt: reboot 27) Once the computer boots press Alt+F1 and login as root. 28) Continue following the standard CND-OSE 1.2 Installation procedures contained in

the Installation Guide. Proceed from section B.1. Step 19 esx-setip. 2.2 Reinstalling ESX Server While Preserving Virtual Machines

1) With the CND-OSE DVD 1 in the DVD drive, power on the server and boot from the DVD.

2) Select Install ESX in GUI mode (Standard) to start the Graphical installer. 3) At the Welcome screen click Next. 4) Check the box to Accept the VMware license agreement. Click Next. 5) US English should be selected as default. If not, select your keyboard and click Next. 6) Custom drivers go beyond this guide; contact ISEA for assistance if requiring custom

drivers. Click Next. 7) At the Load Drivers popup window click Yes. 8) Click Next when drivers load 100%. 9) Ever the serial number found in the ILS package, otherwise select Enter a serial

number later and click Next. 10) Leave the default settings for the Network Configuration and click Next. 11) Leave the default DHCP settings for the Network Configuration and click Next. 12) Select the default Standard setup and click Next. 13) Leave the default ESX Storage Device and click Next. 14) At the popup window, check box to persevere vmfs partition and click OK. 15) At the popup window, uncheck box to persevere esx console and click OK. 16) Select the correct Time Zone and click Next. 17) If connecting to a COMPOSE environment select Automatically and enter



Click Next when complete. 21) Click Finish the DVD will eject and ESX will reboot. 22) Press Alt+F1 and login as root. 23) Re-insert the CND-OSE DVD. 24) Type at the prompt: mount /dev/cdrom 25) Type at the prompt: sh /mnt/cdrom/VMware/VMconf/esxconf.sh 26) When the prompt returns type: eject 27) Type at the prompt: reboot




28) Once the computer boots press Alt+F1 and login as root. 29) Type: vmware-cmd -s register /vmfs/volumes/storage1/HBSS/HBSS.vmx 30) Type: vmware-cmd -s register /vmfs/volumes/storage1/MSSQL/MSSQL.vmx 31) Type: vmware-cmd -s register /vmfs/volumes/storage1/ACAS-Scanner/ACAS-

Scanner.vmx 32) Refer to the Installation Guide and continue from page 9 step 10. 33) Skip section 4.7 page 35. Do not import the VMs. 34) Complete the Installation Guide.

2.3 Tips and Tricks

2.3.1 Manual ESX Networking Perform the following steps if there is no connectivity between the VMware Virtual Infrastructure Client (VIC) and the ESX server.

1) Access the ESX server console and press ALT-F1 to view logon prompt. 2) Enter proper credentials. 3) The following command is used to change the IP address:

esxcfg-vswif vswif0 –i <NEW IP> -n <NEW SUBNET MASK>

4) Edit /etc/sysconfig/network to change the gateway IP address, and hostname:

GATEWAY = <NEW GATWEWAY IP ADDRESS> HOSTNAME = <FULLY QUALIFIED DOMAIN NAME>

5) Edit /etc/hosts and update the file with the new IP address and hostname. 6) Edit /etc/resolv.conf and change the search and nameserver field to the correct

information:

search <DOMAIN NAME> nameserver <IP ADDRESS OF DNS SERVER> (One IP per entry)

7) Type the following command to activate changes:

service network restart

2.3.2 Advanced Network Configuration The following commands will modify vSwitches for Virtual Machines and ESX services. Operation Command Syntax Example Display Switch Configuration esxcfg-vswitch -l Add Switch esxcfg-vswitch –a <switch> esxcfg-vswitch –a vSwitch99 Add PortGroup esxcfg-vswitch <switch> -A

<portgroup> esxcfg-vswitch vSwitch99 –A Test




Remove PortGroup

esxcfg-vswitch <switch> -D <portgroup>

esxcfg-vswitch vSwitch99 –D Test

Remove Switch

esxcfg-vswitch –d <switch> esxcfg-vswitch –d vSwitch99

Add NIC

esxcfg-vswitch <switch> -L <NIC>

esxcfg-vswitch vSwitch0 –L vmnic1

Remove NIC

esxcfg-vswitch <switch> -U <NIC>

esxcfg-vswitch vSwitch0 –U vmnic0

2.3.3 ESX Server Commands for Troubleshooting Blade Installation From the ESX server, log in as root. Command Description esxcfg-firewall –s Identify the iSCSI service name in the service

console firewall esxcfg-firewall –q swISCSIClient query the iscsi client service esxcfg-firewall –e swISCSIClient enable the iscsi client service esxcfg-swiscsi –q check if iSCSI software adapter is enabled or

disabled vmkiscsi-tool –I –l vmhba32 view iSCSI name vmkiscsi-tool –T –l vmhba32 list the targets found vmkiscsi-tool –L –l vmhba32 list LUNs found cat /proc/scsi/vmkiscsi/* list targets found tail –f /var/log/messages view iSCSI daemon logged messages /sbin/vmkiscsid –d # (1 – 9) start iSCSI daemon in verbose mode vmkping verify VMkernel’s access to the iSCSI target tail –f /var/log/vmkernel examine vmkernel logs 2.4 Issues

2.4.1 System won’t boot: Grub Loading Error 15 Issue: System will not boot and user receives Grub loading Error 15. Cause: The make.usbbackup script was run without configuring the device in /usr/local/bin/backup.conf first, resulting in device /dev/sda1 being erased.




Solution: Re-install ESX. If the Virtual Machines need to be recovered without reinstalling, follow the below steps (this differs slightly from section 1.2):

1) Disconnect USB drive from server if it is connected. 2) With the CND-OSE DVD 1 in the DVD drive, power on the server and boot from the

DVD. 3) Select Install ESX in GUI mode (Standard) to start the Graphical installer. 4) At the Welcome screen click Next. 5) Check the box to Accept the VMware license agreement. Click Next. 6) US English should be selected as default and click Next. 7) Custom drivers select No and click Next. 8) At the Load Drivers popup window click Yes. 9) Click Next when drivers load 100%. 10) Ever the serial number found in the ILS package, otherwise select Enter a serial

number later and click Next. 11) Leave the default settings for the Network Configuration and click Next. 12) Leave the default DHCP settings for the Network Configuration and click Next. 13) Select the default Standard setup and click Next. 14) Leave the default ESX Storage Device and click Next. 15) At the popup “The contents of the selected storage device will be erased…” Press

CRTL+ALT+F2. 16) At the console window press Enter. 17) Type: mkdir /mnt/boot 18) Type: mount /dev/sda1 /mnt/boot 19) Type: touch /mnt/boot/vmlinuz-2.6.18.194.ESX 20) Type: umount /dev/sda1 21) Press CTRL+ALT+F6 to return to the GUI install. 22) Click Cancel. 23) Click Next. 24) At the popup window, check box to persevere vmfs partition and click OK. 25) Select the correct Time Zone and click Next. 26) If connecting to a COMPOSE environment select Automatically and enter



Click Next when complete. 30) Click Finish the DVD will eject and ESX will reboot. 31) Press Alt+F1 and login as root. 32) Re-insert the CND-OSE DVD. 33) Type at the prompt: mount /dev/cdrom 34) Type at the prompt: sh /mnt/cdrom/VMware/VMconf/esxconf.sh 35) When the prompt returns type: eject 36) Type at the prompt: reboot




37) Once the computer boots press Alt+F1 and login as root. 38) Type: vmware-cmd -s register /vmfs/volumes/storage1/HBSS/HBSS.vmx 39) Type: vmware-cmd -s register /vmfs/volumes/storage1/MSSQL/MSSQL.vmx 40) Type: vmware-cmd -s register /vmfs/volumes/storage1/ACAS-Scanner/ACAS-

Scanner.vmx 41) Refer to the Installation Guide and continue from page 9 step 10. 42) Skip section 4.7 page 35. Do not import the VMs. 43) Complete the Installation Guide.

2.4.2 Software Compatibility Issues with NICs ESX software does not recognize Fiber Based NICS. Copper Based NICS should be used with ESX installations.

2.4.3 Network Interface Card may need to be statically set to the speed of the router 1) From the vSphere client, Select the Configuration tab and highlight Networking. 2) Click on Properties of the Virtual Switch you need to set. 3) Click on the Network Adapters tab and click Edit. 4) The Configured Speed, Duplex is defaulted to Auto negotiate. Select the correct

speed so that it correlates with the router (e.g. 100 Mb, Full Duplex). You may need to ask the ship’s administrator for the correct setting.

2.4.4 Server Does Not Boot Issue: When the server turns on, the internal fan is constantly spinning on high. Normally, during a reboot the internal server fan spins on high for only a few seconds. Solution: If the fan continually spins on high then power down the server. Open the server case and verify that the memory is properly seated.

2.4.5 Can’t ssh into the ESX system Issue: When using pscp (secure copy) or putty, administrator receives access denied. Cause: The ESX system is NOT configured to permit users with root privileges to ssh into the system. Solutions:

Option 1: Create/Modify user such that the user is not in the ‘root’ group

1) Log into the vSphere client. 2) Highlight the server from the tree and click on the Users & Groups tab. 3) Highlight the desired user, right-mouse click and select Edit. 4) Click on the drop-down arrow under the Group. Select the ‘root’ group and click

Remove. Click OK. 5) To create a user with administrator privileges but not in the ‘root’ group please refer

to the New System User Accounts section in the Site Configuration Guide.




Option 2: Modify configuration file to temporarily allow root access.

1) Log into the ESX server with administrator priviledges 2) Type: nano /etc/ssh/sshd_config 3) Scroll down and locate the line “PermitRootLogin”. 4) Change the ‘no’ to ‘yes’ 5) Hit ctrl-O to save. Hit enter to confirm. 6) Hit ctrl-X to exit. 7) Type: service sshd restart 8) NOTE: Remember to go back and change the configuration back to the original

settings.

2.4.6 TAG Installation: ‘No Hard Drives Have Been Found’ If the message ‘Warning: No hard drives have been found. You probably need to manually choose device drivers for the installation to succeed. Would you like to select the drivers now?’ appears during the initial install, the RAID Array have not been set. To set the RAID Array:

1) Watch the initial boot up screen and look for the Adaptec RAID BIOS screen. 2) At the Adaptec RAID BIOS page press Ctrl+A. 3) On the Adaptec 5805 Family Controller page select Array Configuration Utility. 4) From the Main Menu, choose Create Array. 5) Press the Insert key to select each of the drives to create the Array. Add all drives to

the Array before proceeding. 6) In the Array Properties page, select RAID 5 for Array Type. 7) Create a label for the Array in Array Label. 8) Leave the defaults for the remaining fields:

• Array Size: 837 GB • Stripe Size: 256 GB • Read Caching: Enable MaxIQ • Write Caching: Enable always (when prompted answer ‘yes’ and ‘yes’ to the

write cache prompts). • Create RAID via: Build/Verify

9) Press any key to continue 10) Once complete, press the Esc key twice and answer Yes to Exit Utility 11) System will Reboot 12) Continue with the installation procedures in the CND-OSE Installation Guide.

2.4.7 Can’t Log into the vSphere Client After Obtaining DoD PKI Certificates Issue: After obtaining the DoD PKI Certificates for ESX, the administrator is unable to log into the vSphere Client. Cause: Certificates are corrupt or the certificate request does not correspond to the private key.




Note: When you create a certificate signing request (CSR) and private key to obtain an SSL certificate, the private key contains internal data called a modulus. This is integral to the security of your SSL encryption. If your private key and certificate do not contain the same modulus, then Apache may refuse to start or it may not respond properly to SSL requests. You can check the modulus of your private key and SSL certificate with these commands:

openssl rsa -noout -modulus -in rui.key | openssl md5 openssl x509 -noout -modulus -in rui.crt | openssl md5

If the MD5 checksums match, then the certificate and key will work together. However, if they are different, then you cannot use them together. Generally, this means that you used the wrong CSR (that corresponded to some other private key) when you obtained/created your SSL certificate.

Solutions: Option 1: Re-create self-signed certificate (i.e. recreate the rui.key and rui.crt) and then complete the PKI Certificates portion again.

1) Log into the ESX server as root (or any account with administrator privileges). 2) At the prompt type the following:

cd /etc/vmware/ssl followed by: openssl req –nodes –new –x509 –keyout rui.key –out rui.crt –days 3650 3) Seven prompts will appear. Input required information:

Example:

o Country Name: US o State or Province Name: California o Locality Name: San Diego o Organization Name: US Navy o Organizational Unit Name: CVN72 o Common Name (e.g., your name or server’s hostname):

cndose.cvn72.navy.mil o Email Address: <leave blank>

4) Reboot the server. 5) To test that the self-signed certificates are working, launch the vSphere client from a

COMPOSE workstation. 6) Re-do the PKI Certificate portion from the Site Configuration guide to obtain the

proper DoD certificate for your ESX server.




2.4.8 Virtual Machine Appears as Invalid Issue 1: The virtual machine shows as invalid in the vSphere Client. Cause: Datastore UUID changed due to “resignaturing”. Solutions:

Option 1: Remove the vm from inventory and the re-add it back.

1) Right-click the virtual machine and choose Remove from Inventory. Caution: Do not choose Delete from Disk.

2) Click on the ESX host and, using the Summary tab, locate the appropriate datastore in which the virtual machine exists.

3) Right-click the datastore and click Browse Datastore. 4) Browse to the directory of the virtual machine. 5) Right-click the .vmx file of the virtual machine and choose Add to Inventory. 6) Power on the virtual machine.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002367 Issue 2: The virtual machine shows as invalid in the vSphere Client. If you right-click on the virtual machine, you have the option to power it on. If you initiate a power on, you see the error: “A general system error occurred: Not initialized”. Cause: This issue typically indicates that the virtual machine's .vmx file is corrupted. Solutions:

Option 1: The .vmx file must be corrected. (May happen if the stig script is run more than once on the vm.

1) Log into ESX server with root privileges. 2) At the prompt type: cd /vmfs/volumes/storage1/<VM> 3) Use a text editor (e.g. nano or vi) to view and modify the .vmx file as necessary. 4) Towards the end of the file you may see the addendum added to the .vmx file. Fix the

file as necessary.

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1005058&sliceId=1&docTypeID=DT_KB_1_1&dialogID=79858892&stateId=0 0 89381791

2.4.9 Cannot synchronize ESX server to ship’s time server Issue: You receive an error when attempting to complete the Time Configuration such that the ESX server synchronizes to the ship’s time server. You may receive an error reading “Failed, could not update host configuration file”.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002367

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002367




Solution:

1) Log into ESX with root privileges. 2) At the prompt type:

nano /etc/ntp.conf

3) Page down twice and locate the line reading server. 4) Change the server IP address to the IP address of the time server. 5) Press CTRL-O to save the file. Hit enter to overwrite the original. 6) Press CTRL-X to exist 7) At the prompt type:

service mgmt-vmware restart

2.4.10 Unable to connect to a Virtual Machine (Timeout) Issue: When attempting to connect to a VM, the following error occurs:

Cause: The ESX Server does not have DNS configured properly. Solutions:




Option 1: Correct DNS 1) Log into ESX with root privileges. 2) At the prompt type: esx-setip 3) Follow the prompts and correct the network settings.

Option 2: Comment out DNS names in hosts.allow 1) Log into ESX with root privileges. 2) At the prompt type:

nano /etc/hosts.allow 3) Comment out the line ‘ALL: localhost’ by placing a # at the beginning.

2.4.11 Unable to connect to a Virtual Machine (Failed to connect to server) Issue: When attempting to connect to a VM from vSphere the following error occurs: “Unable to connect to the MKS: Failed to connect to server xxx.xxx.xxx.xxx:903”. Cause: The ESX Server cannot resolve the VM name. Solution:

1) Log into ESX with root privileges. 2) At the prompt type: nano /etc/vmware/config 3) Add the line to the end of the file: vmauthd.server.alwaysProxy = "TRUE" 4) Press ctrl+x to save the changes. 5) Enter “yes” when prompted. 6) Press Enter to confirm changes.

2.4.12 Locked out user or root account Issue: User or root account has been locked out. Solution: User Account

1) Log into ESX with root account. 2) At the prompt type: sudo faillog –r <username>

Root Account (single user mode) Option 1: Reset the root fail count

1) Press the power button on the server for one second to start graceful shutdown. 2) Power on the server.




3) At ESX boot menu, press ‘p’. 4) Enter password mko0(IJNmko0(IJN 5) Press ‘a’ and append ‘single’ to the end of the line. 6) Hit Enter. 7) Type the root password (failed attempts are not enforced) at the prompt: Give root

password for maintenance (or type Control-D to continue). 8) Type faillog –r root to unlock the account. 9) Type reboot to boot back into ESX.

Option 2: Root password is forgotten

Contact ISEA, the system can be recovered but it is beyond the scope of this guide.

2.4.13 vSphere client install fails (Microsoft J#) Issue: vSphere installation fails and user receives a ‘Microsoft Visual J# 2.0’ error. Solution: Uninstall Microsoft Visual J# using the control panel and reinstall the vSphere client.

3 Tips, Tricks, and Issues with HBSS 3.1 Tips and Tricks

3.1.1 General Tips • Online help from McAfee can be found at

https://kc.mcafee.com/corporate/index?page=home

https://kc.mcafee.com/corporate/index?page=home




• The client UI must be locked in order to update policies. If the client UI is unlocked at the time of the policy push, the client will NOT receive the update.

• Verify that the ESX server and virtual machines have synchronized the time with the ship. Problems may occur with pushing clients/patches if the times are different.

• The ePO Server GUI does NOT always update to reflect the current status. (sometimes restarting the server may help)

• Rogue Sensors may take 10-15 minutes to get pushed/installed and reflected in the ePO server GUI.

3.1.2 Removing the HBSS Products and Agent using ePO 3.1.2.1 Overview The following steps use ePO to remove HBSS modules and agent. It is important to follow the order of removing all products. The HBSS agent should be removed only after the successful removal of all other products.

b. Removing Deployed Products c. Removing DLP d. Removing Rogue Sensors e. Verify Module Removal f. Removing the HBSS Agent

3.1.2.2 Step 1 - Removing Deployed Products 1) Logon to the ePO Console as an administrator and click System Tree from the menu bar. 2) From the System Tree, select My Organization.

NOTE: At the My Organization level, all systems will have products removed. Select the system tree location as needed. 3) From the right pane, select the Client Tasks tab.




4) For the Task Name Deployment click Edit Settings under Actions. 5) If the Inheritance row is available, select Break inheritance and assign the policy… and

click Next. 6) In the Configuration tab change the Action drop-downs from Install to Remove all products

except the McAfee Agent (this product does not have a Remove action).




7) Click Next. 8) For the Schedule tab, select Enabled for the Schedule status, and Run immediately in the

Schedule type drop box, and click Save. 9) Send an Agent Wake-up call to your site. 3.1.2.3 Step 2 – Removing DLP Note: DLP removal is done separately from the other modules for three reasons.

• DLP is only applied to workstations • DLP task is created separately from the deployment task. • DLP removal requires a reboot. (NOTE: Always notify ship’s force before initiating the

task) 1) Click System Tree from the menu bar. 2) From the System Tree, select My Organization.

NOTE: At the My Organization level all systems will have products removed. Select the system tree location as needed. 3) From the right pane, select the Client Tasks tab. 4) For the Task Name Deploy DLP to Workstations click Edit Settings under Actions. 5) If the Inheritance row is available select Break inheritance and assign the policy… and

click Next. 6) In the Configuration tab, change the Action drop-downs from Install to Remove all

products. 7) Click Next. 8) For the Schedule tab, select Enabled for the Schedule status, and Run immediately in the

Schedule type drop box, and click Save. 9) Run an agent wake-up call and verify that DLP has been removed from domain workstations.

Repeat the above steps if there are other workstation nodes with DLP modules installed. 10) Once the Agent Wake-up call(s) are complete, reboot the VM. 3.1.2.4 Step 3 - Removing Rogue Sensors 1) Click Queries from the menu bar. 2) Type: sensor in the Quick find and click Apply. 3) In the (ER) RSD Sensor Deployment row click Run. 4) Click the bar graph to identify the individual sensors. 5) Check all the systems that need to have Rogue Sensors removed. 6) Click ActionsRogue SensorRemove Rogue Sensor. If you are still having issues fully removing the RSD, follow the steps below:

a. On the local system where the sensor was installed, open a command prompt: cmd




b. Run the command: sc delete RSSensor Note: This will stop the service from starting.

c. Run the command to open the registry: regedit d. Expand the Registry tree to locate the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<GUID of Rogue Sensor Uninstall Package> Note: The GUID of the Rogue Sensor Uninstall Package should be {34C22C5D-30F8-4EF4-97CF-0A8594F42959}. Before deleting the key, verify that the GUID {34C22C5D-30F8-4EF4-97CF-0A8594F42959} key contains RSD sensor material.

e. Delete the key. f. Return to the HBSS VM and log into ePO. g. Click Queries from the menu bar. h. Type: sensor in the Quick find and click Apply. i. In the (ER) RSD Sensor Deployment row click Run. j. Click the bar graph to identify the individual sensor. k. Check the system that needs to have the Rogue Sensor removed. l. Click ActionsRogue SensorRemove Rogue Sensor.

3.1.2.5 Step 4 – Verify Module Removal To verify ALL systems have modules removed:

1) Click Queries from the menu bar. 2) Type: nnwc in the Quick find and click Apply. 3) In the NNWC: All Component Summary of Last 2 Weeks row click Run. 4) No products should be listed except McAfee Agent. Exception: VirusScan and Anti-

Spyware may still be running on MSSQL this can be ignored. To verify individual systems have modules removed:

1) Click System Tree from the menu bar. 2) Select My Organization and change the Filter drop box to This Group and All

Subgroups. 3) Locate the system for removal and click the hostname (not the check box) to view the System

Details. 4) In the row Installed Products only McAfee Agent and Products Coverage Reports should be

listed. 3.1.2.6 Step 5 – Removing HBSS Agent 1) Click System Tree from the menu bar.




2) Select My Organization and change the Filter drop box to This Group and All Subgroups.

3) Locate the system(s) for removal and check the checkbox next to the hostname. 4) Click ActionsDirectory ManagementDelete. 5) Check Remove agent and click OK. 6) Upon next check-in the agent will uninstall from the hosts. This may take up to two hours.

3.1.3 Manually Removing the HBSS Products and Agent from a Local Windows System

3.1.3.1 Removing HIPS 1) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host

Intrusion Prevention, and select Configure. 2) Unlock the interface from the menu bar, TaskUnlock User Interface. 3) From the IPS Policy tab uncheck Enable Host IPS and Enable Network IPS. 4) From the Application Policy tab uncheck Enabled Application Creation Monitor and

Enabled Application Hooking Monitor. 5) Leave the window open. 6) If listed in Add or Remove Programs in the Control Panel, select McAfee Host Intrusion

Prevention and click Remove. Click Yes to remove. If prompted, reboot the system.

Or

To remove the McAfee Host Intrusion Prevention from the command window, run msiexec /X{B332732A-4958-41DD-B439-DDA2D32753C5}. Click Yes to remove. If prompted, reboot the system.

7) To verify removal, in services the McAfee Host Intrusion Prevention Service will be gone. https://kc.mcafee.com/corporate/index?page=content&id=KB51699

3.1.3.2 Removing DLP If Host Intrusion Prevention is installed: 1) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host


Enabled Application Hooking Monitor. 5) Leave the window open. 6) From the client workstation go to Control PanelAdd or Remove Programs. 7) Locate the McAfee DLP Agent from the currently installed programs and click Remove. 8) Click Yes to remove.

https://kc.mcafee.com/corporate/index?page=content&id=KB51699




9) Expect a popup with a challenge key.

10) Record the challenge key. This key will be given to the HBSS administrator so that he/she

may input the key into the ePO server to generate the password. 11) Log into the ePO console as an administrator. 12) Navigate to Menu OptionsData ProtectionDLP Policy. 13) Go to ToolsGenerate Agent Uninstall Key… 14) You must fill in all the fields to generate the key. 15) Click the Generate Key button. Record the agent override password in the box to the right

of the Generate Key button.

16) Back on the local client workstation, enter the override password.




17) Click Ok. 18) After uninstall is complete, expect a restart warning. Click Yes to restart the system. 19) To verify removal, in services the McAfee DLP Agent Service will be gone.

3.1.3.3 Removing the Rogue Sensor If Host Intrusion Prevention is installed: 1) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host


Enabled Application Hooking Monitor. 5) Leave the window open. 6) From Add or Remove Programs in the Control Panel select McAfee Rogue System

Detection Sensor, click Remove and click Yes.

Or

To remove the Rogue Sensor from the command window, migrate to the directory C:\Program Files\McAfee\RSD Sensor and run, RSSensor.exe --uninstall.

7) To verify removal, check services and verify the McAfee Rogue System Sensor is removed. If you are still having issues fully removing the RSD, follow the steps below:

m. On the local system where the sensor was installed, open a command prompt: cmd n. Run the command: sc delete RSSensor

Note: This will stop the service from starting.




o. Run the command to open the registry: regedit p. Expand the Registry tree to locate the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<GUID of Rogue Sensor Uninstall Package> Note: The GUID of the Rogue Sensor Uninstall Package should be {34C22C5D-30F8-4EF4-97CF-0A8594F42959}. Before deleting the key, verify that the GUID {34C22C5D-30F8-4EF4-97CF-0A8594F42959} key contains RSD sensor material.

q. Delete the key. r. Return to the HBSS VM and log into ePO. s. Click Queries from the menu bar. t. Type: sensor in the Quick find and click Apply. u. In the (ER) RSD Sensor Deployment row click Run. v. Click the bar graph to identify the individual sensor. w. Check the system that needs to have the Rogue Sensor removed. x. Click ActionsRogue SensorRemove Rogue Sensor.

3.1.3.4 Removing the Asset Baseline Monitor If Host Intrusion Prevention is installed: 1) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host


Enabled Application Hooking Monitor. 5) Leave the window open. 6) From Add or Remove Programs in the Control Panel select McAfee Asset Baseline

Monitor Agent, click Remove and click Yes. 8) To verify removal, the directory C:\Program Files\McAfee\ABM will be gone.

3.1.3.5 Removing the Policy Auditor If Host Intrusion Prevention is installed: 1) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host


Enabled Application Hooking Monitor. 5) Leave the window open.




6) From Add or Remove Programs in the Control Panel select McAfee Policy Auditor Agent, click Remove and click Yes..

9) To verify removal, in services the McAfee Audit Manager Service will be gone. 3.1.3.6 Removing the HBSS Agent 1) If Host Intrusion Prevention is installed, remove it first. 2) To remove the McAfee Agent from the command window, migrate to the directory

C:\Program Files\McAfee\Common Framework\ and run, frminst.exe /forceuninstall. 3) To verify removal, in services the McAfee Framework Service will be gone.

3.1.3.7 Final System Clean-up 1) Remove the directory C:\Program Files\McAfee. 2) Remove the registry keys:

a. HKEY Local Machine\SOFTWARE\Network Associates b. HKEY Current User\Software\McAfee

3.1.4 Removing the HBSS Products and Agent from non-Windows systems (LINUX, Mac, Solaris, HP-UX, and AIX)

Overview: Use ePO to remove HBSS modules from Linux systems. Following the removal of the modules, use the local system to remove the HBSS agent. It is important to follow the order of removing all products. The HBSS agent should be removed only after the successful removal of all other products. If you only need to remove the HBSS agent, proceed to step 4 below.

a. Removing deployed products b. Removing DLP c. Removing Rogue Sensors d. Removing the HBSS Agent

3.1.4.1 Step 1 – Removing Deployed Products Follow the steps in the Removing Deployed Products section. 3.1.4.2 Step 2 - Removing DLP Follow the steps in the Removing DLP section. 3.1.4.3 Step 3 – Removing Rogue Sensors Follow the steps in the Removing Rogue Sensors section. 3.1.4.4 Step 4 - Removing the HBSS Agent from the local system

1) Log on as "root" to the local system where you want to remove the agent.




2) Run the command appropriate for your operating system: Operating System Commands: Operating System Command HP-UX swremove MFEcma Linux rpm -e MFEcma

rpm -e MFErt Macintosh /Library/McAfee/cma/uninstall.sh Solaris pkgrm MFEcma

AIX rpm -e MFEcma

3) Back in the ePO, navigate to MenuSystemsSystem Tree, and select the systems you have uninstalled.

4) From the Actions drop-down menu, select Directory Management, then select Delete from the submenu.

3.1.5 McAfee Status Window a. cmdagent.exe

For troubleshooting specific computers, here are some command line options. Go to the computer you want to troubleshoot and open a command prompt: cd c:\Program Files\McAfee\Common Framework cmdagent.exe <switch>

/P Create and send properties /E Enforce Policies /C Check for new policies/tasks /S Bring up the GUI Agent

3.1.6 Manually adding the HIPS module to local workstations Issue: HIPS is not pushing to some local workstations. Solution: 1) Locate the HIPS software directory on the local HBSS VM:

C:\Program Files\McAfee\ePolicyOrchestrator\DB\Software\Current\HOSTIPS_7000\Install\0409

2) Copy the entire contents of the 0409 directory and paste them into the local workstations that are missing HIPS.

3) Execute the McAfeeHIP_ClientSetup.exe file from the local workstation. 4) Once installed, delete the 0409 directory from the local workstation.




3.1.7 Installing HIPS and McAfee Agents on an Image Overview: When creating an image of a computer that includes the McAfee Agent, registry keys must be deleted before the image is saved. The registry keys reference unique registration information inside the HBSS Server. New registry keys will be generated when the new system image first contacts the HBSS Server. This ensures each new system using the image is registered inside HBSS as a unique system. Solution: On the master image computer: 1) If Host Intrusion Prevention is installed: 2) From the system tray right-click the red M shield, select Managed FeaturesMcAfee Host


Enabled Application Hooking Monitor. 6) Leave the window open. 7) Locate the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Network

Associates\ePolicy Orchestrator\Agent 8) Right-click each of the following keys and select Delete.

• AgentGUID • MacAddress

9) Locate the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\Keys

10) Right-click each of the following keys and select Delete. • binap • binas • binrs • binsp

Adding Host Intrusion Prevention to the image: 1) Locate the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FireTDI 2) Right-click the subkey Enum and select Delete. 3) Close Registry Editor.

3.1.8 Redirecting the communication of a Windows McAfee Agent 4.x to a new ePO 4.x server

Overview: Redirect the McAfee Agent on a computer to communicate with a new ePO 4.x. server. Steps:




1) From the machine with the McAfee Agent installed, click Start, Run, type explorer and click OK.

2) Navigate to the following folder on the ePO 4.x server: c:\Program Files\McAfee\ePO\DB\Software\Current\ePOAgent3000\Install\0409.

3) Copy the following files to a temp folder on the client computer (For example: c:\Temp): srpubkey.bin reqseckey.bin SiteList.xml

4) Run the following command on the systems that need to have the agent communication redirected to the new ePO 4.x server:

NOTE: By default, FrmInst.exe is located in: c:\Program Files\McAfee\Common Framework. FrmInst.exe /SiteInfo=c:\<Temporary_folder_path>\SiteList.xml Where <Temporary_folder_path> is the location where the three files listed in Step 3 above were copied to. Example: FrmInst.exe /SiteInfo=c:\Temp\SiteList.xml

3.1.9 Redirecting the communication of a Linux McAfee Agent to a new ePO server

Overview: Redirect the McAfee Agent on a Linux computer to communicate with a new ePO server. Steps:

1) On the Linux machine, run the command to change the device to unmanaged: /opt/McAfee/cma/bin/msaconfig –u –nostart

2) If necessary, on the Linux machine, create a new directory /tmp/redirect:

mk dir /tmp/redirect

3) On the HBSS VM, copy the following files from the VM and transfer them to the target Linux machine:

Files for transfer: srpubkey.bin, reqseckey.bin, SiteList.xml Command (run the command for each file above):




pscp c:\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3700LYNX\Install\0409\<file name> <username>@<Linux IP address>:/tmp/redirect NOTE: There is a space between ePolicy and Orchestrator and a space between <file name> and <username>

4) Repeat step 3 for the remaining files. 5) Run the command to redirect the agent to the new ePO server:

/opt/McAfee/cma/bin/msaconfig –m –d /tmp/redirect

3.1.10 HIPS - Learn Remote IP address for Adaptive/Learn mode Firewall Rules Overview: Add the ability to include remote (destination) IP address for Firewall Rules created while in Adaptive or Learn mode. See McAfee KB 68888 for further details. Prerequisites: This functionality is applicable to HIPS 7.0 Patch 7 (Hotfix 557388) and Patch 8. Steps:

1) On the local client, disable Host Intrusion Prevention protection with an ePO policy or in the local client user interface.

2) Click Start, Run, type regedit and click OK. 3) Navigate to and select the registry key below:

[HKEY_LOCAL_MACHINE\Software\McAfee\HIP]

4) Create the two new DWORD entries below:

o dwMaxLearnRemoteHostIncoming_Client (for incoming traffic) o dwMaxLearnRemoteHostOutgoing_Client (for outgoing traffic)

5) Set the Value data to the maximum number of firewall rules that can learn a remote

address (example: 50). NOTE: When this value is exceeded, new firewall rules will return to the default behavior and will contain ANY for the remote address.

6) Reboot the system. 7) If necessary, re-enable Host Intrusion Prevention protection on the local client with an

ePO policy or in the local client user interface.




3.2 Issues

3.2.1 ePO Issue with Importing Domain Information Issue: Error with importing the ship’s domain information (i.e., computer names). Solutions:

1) Deploy rogue sensors so that all subnets are recognized. 2) Go to domain controller (DC01) and export the list of computer names (servers and

workstations). You will need to clean up the text file to verify that there is not extra and erroneous information. You can then import this text file into the ePO server.

3) Or you can use psexec to create a manual package and do a mass push.

3.2.2 HBSS Agent Push Issues Issue: Difficulty pushing agent from ePO server to client computer. Solutions:

1) Verify that you have the correct shipboard credentials. Verify that those credentials are not locked out.

2) Verify that you can access the share. a. Confirm that workstation admin$ share folders are accessible from the HBSS

server. This access is required for the HBSS server to install agents and other software, and testing confirms your administrator credentials. On the HBSS server, open a command window (Start | Run). Type the path to the client Admin$ share (use system name or IP address):

i. \\MyComputer\Admin$ ii. \\192.168.14.52\Admin$

b. If systems are properly connected over the network, your credentials have sufficient rights, the Admin$ share folder is present, and you see a Windows Explorer dialog box.

3) For Windows XP, verify that File and Print sharing in the NIC properties is checked. Turn off the Windows firewall.

4) Is the computer trusted? If the computer is not part of the domain it may not be trusted. Try to do a manual installation. See the section regarding PSEXEC to create a Framepackage.exe.

3.2.3 Unable to Log into ePO Console Issue 1: You receive the below error when accessing https://hbss:8005.




Solutions: HBSS was unable to connect to the MSSQL database when the services started (reboot).

• Verify HBSS can reach MSSQL. From the HBSS VM, ping mssql. • Verify the MSSQL database service SQL Server (MSSQLSERVER) is running on

MSSQL. • Verify MSSQL database is running prior to HBSS booting up, reboot HBSS. • Verify HBSS SQL account is not locked.

1. Logon to the MSSQL VM as an administrator. 2. From the desktop open Microsoft SQL Server Management Studio. 3. Click Connect. 4. Navigate to MSSQLSecurityLogins. 5. Double-click hbss. 6. Check the Status page.

• Verify HBSS SQL account password on MSSQL (see above) and the HBSS desktop link HBSS Password Management password match.

Issue 2: You receive the below error when accessing https://hbss:8005.




Solutions: HBSS is unable to connect to the MSSQL database (reboot).

• Verify HBSS can reach MSSQL. From HBSS VM ping mssql. • Verify the MSSQL database service SQL Server (MSSQLSERVER) is running on

MSSQL. • Verify MSSQL database is running prior to HBSS booting up, reboot HBSS. • Verify HBSS SQL account is not locked.

1. Logon to the MSSQL VM as an administrator. 2. From the desktop open Microsoft SQL Server Management Studio. 3. Click Connect. 4. Navigate to MSSQLSecurityLogins. 5. Double-click hbss. 6. Check the Status page.

• Verify HBSS SQL account password on MSSQL (see above) and the HBSS desktop link HBSS Password Management password match.

3.2.4 Forgot ePO Console Password

Issue: Unable to login to ePO Console. Solutions: Reset the ePO Console password hash to default.

1) Logon to the MSSQL VM as an administrator.




2) From the desktop open Microsoft SQL Server Management Studio. 3) Click Connect. 4) Navigate to MSSQLDatabasesePO4_HBSSTablesdbo.OrionUsers. 5) Right-click and select Open Table. 6) Locate the row of the user account and the column AuthURI, replace the hash with the

known default password mko0(IJNmko0(IJN hash: auth:pwd?pwd=E59cGQIaMNIgOFpsPbnpbzgnhLhgg94B

7) Back in the ePO Console login with the default password and change the password.

3.2.5 Assets are not communicating with the HBSS Server Issue #1: Deployed agents are not updating in the ePO Console or are not showing up in the Console. Solutions: Verify the agent is installed. Check C:\Program Files\McAfee\Common Framework. Verify the service McAfee Framework Service is running.

1) If the agent is installed and running on the client, type http://<Workstation IP>:591 from the HBSS server.

2) Click on the FrameSvc current link. 3) Find ‘Connecting to server’ and verify the address of the ePO server.




4) If the log does NOT reflect the correct external HBSS IP address. a. Verify HBSS is bound to the correct IP Address, from HBSS VM run

C:\hbss_ip_check.bat. i. If the IP Address is incorrect disabled HIPS and re-run C:\Documents

and Settings\Administrator\Desktop\HBSS_Agent_Update.bat. ii. Repush Agents after correcting the HBSS Server IP Address.

5) If the log does reflect the correct IP address then verify your network connectivity, NIC settings etc.

Issue #2: Deployed agents are not updating in the ePO Console. Error "CPackage::addUserInformation(): GetUserPolicyInformation() unsuccessful - 0xfffff9be" appears in McAfee Agent Monitor window. Cause: NVIDIA driver causing issue with HBSS. Solution: Update the NVIDIA driver.

3.2.6 Trouble Importing ePO Policies Issue: You attempted to import new policies and received an error indicating that the policy was corrupted. Solution: This is a known issue with McAfee. An extra character(s) was inserted during export therefore causing issues when attempting to import. Open the policy in notepad. Do a find and replace ‘ “’ with ‘”’. Specifically we are removing the extra space in front of the quote. In some cases it may be necessary to find and replace ‘ &’ with ‘&’.

3.2.7 HIPS Events Not Purging Issue: HIPS is generating or has generated too many events and you need to purge the database.




Solution:

1) Log into the ePO console as an administrator. 2) Navigate to Menu OptionsReportingHost IPS. 3) Click ActionsPurge. 4) Enter the # of days to keep. (Default is 90 days, 0 to purge everything). 5) Click OK.

3.2.8 File Integrity Events Not Purging Issue: File Integrity is generating or has generated too many events and you need to purge the database. Solution:

1) Log into the ePO console as an administrator. 2) Navigate to Menu OptionsReportingFile Integrity. 3) Click ActionsPurge. 4) Enter the # of days to keep. (Default is 90 days, 0 to purge everything). 5) Click OK.

3.2.9 DLP Monitor Events Not Purging Issue: DLP is generating or has generated too many events and you need to purge the database. Solution:

6) Log into the ePO console as an administrator. 7) Navigate to Menu OptionsData ProtectionDLP Policy. 8) Scroll to the bottom of the menu list and click Database Administration. 9) Double-click Delete Events by Number of Days. 10) Enter the # of days to keep. (Default is 90 days, 0 to purge everything). 11) Click Execute.

3.2.10 COMPOSE Servers trigger UDP Port Scan and TCP Port Scan Issue: COMPOSE Servers are blocking one another. For example, UDP Port Scan events from DC1 are triggering on DC2 and causing DC1 to be added to DC2’s blocked host list for 10 minutes. Solution: Add Ship server IPs to the Trusted Networks list

1) Log into the ePO console as an administrator. 2) From the menu bar click Policy Catalog.




3) From the Product drop box select, Host Intrusion Prevention x.x.x:General. 4) From the Category drop box select, Trusted Networks (Windows). 5) In the ship’s trusted network policy row (e.g., CVN99_Trusted_Networks) click Edit

Settings. 6) Click the button. 7) Enter the Server IP Address range (x.x.x.20-x.x.x.30) and check Trust for network IPS. 8) Click Save. 9) Send an Agent Wake-up call to the servers.

3.2.11 Continuous Reboot Prompt During HIPS Install Issue: When deploying HIPS to a client, the user is presented with a prompt for reboot. After rebooting, another reboot prompt is continuously displayed. Solution: Delete C:\Windows\McAfeeHIPS_reboot

3.2.12 DLP Policy will not Load on Workstations Issue: DLP Policy manager will not load due to Internet Explorer settings. Solutions:

1) Access the ePO console from the HBSS VM. or

2) Contact the COMPOSE administrators to correct the GPO settings to allow DLP to install.

3.2.13 HBSS is controlling/updating the Symantec Antivirus Issue: HBSS is controlling and/or updating the Symantec Antivirus. Solution: Within ePO, set Antivirus product to Not enforcing:

1) Login to the ePO console with administrator credentials. 2) From the menu bar click Policy Catalog. 3) From the Product drop box select, Symantec Antivirus x.x.x. 4) From the Category drop box select, Management Policies. 5) In the ship’s management policy row (e.g., CVN99_Trusted_Networks) click Edit

Settings. 6) For Enforcement: uncheck Enforce policies on servers and client… 7) Click Save. 8) Perform an agent wakeup call on the site.




3.2.14 HBSS PKI Certificates are not working Issue: After loading the DoD PKI certificates the Issued by: is not correct. Solutions: Reload the DoD PKI certificates. Option 1: Retry the current certificate

1) From the HBSS VM temporary disable HIPS. 2) Copy C:\certs-temp\hbss-request.keystore over C:\Program Files\McAfee\ePolicy

Orchestrator\Server\Keystore\hbss.keystore

copy C:\certs-temp\hbss-request.keystore “C:\Program Files\McAfee\ePolicy Orchestrator\Server\Keystore\hbss.keystore” /y

3) Run C:\PKICertificate\ImportCerts.bat 4) When prompted to Trust this certificate? [no]: Type yes.

5) The results should match the above with no errors after entering yes. 6) Reboot.

Option 2: Request a new certificate

1) From the HBSS VM temporary disable HIPS. 2) Delete:

a. C:\Program Files\McAfee\ePolicy Orchestrator\Server\Keystore\hbss.keystore b. C:\certs-temp\cacert.cer c. C:\certs-temp\hbsscertreq.csr




d. C:\certs-temp\hbss-request.keystore e. C:\certs-temp\hbssservercert.cer f. C:\certs-temp\intcert.cer

3) Re-run the DOD CERTIFICATES FOR CND-OSE HBSS section from the CND-OSE 1.2 Site Configuration Guide.

3.2.15 HIPS Firewall learn remote IP during adaptive mode

Issue: When the firewall is placed in adaptive mode remote addresses do not get recorded. Solutions: Reload the DoD PKI certificates.

1) Disable Host Intrusion Prevention protection with an ePO policy or in the local client

user interface. 2) Click Start, Run, type regedit and click OK. 3) Navigate to and select the registry key below:

[HKEY_LOCAL_MACHINE\Software\McAfee\HIP]

4) Create the two new DWORD entries below: a. dwMaxLearnRemoteHostIncoming_Client (for incoming traffic) b. dwMaxLearnRemoteHostOutgoing_Client (for outgoing traffic)

5) Set the Value data to the maximum number of firewall rules that can learn a remote address (example: 50). NOTE: When this value is exceeded, new firewall rules will return to the default behavior and will contain ANY for the remote address.

6) Enable Host Intrusion Prevention protection. https://kc.mcafee.com/corporate/index?page=content&id=KB68888&actp=search&viewlocale=en_US&searchid=1293052324034

3.2.16 Rogue System Sensor not reporting back to ePO server Issue: Rogue System Sensor is not reporting back to the ePO server resulting in uncovered subnets. Cause: Possible corrupt RSD policy. Solution:

1) Using the System Tree, highlight the top node where the policy is not reporting. 2) Click the Assigned Policies tab. 3) Using the Product drop down, select Rogue System Detection. 4) Click the desired policy to edit. 5) In the General tab, ensure the Server name is correct.

https://kc.mcafee.com/corporate/index?page=content&id=KB68888&actp=search&viewlocale=en_US&searchid=1293052324034





6) Click the Interfaces tab. 7) Click the second Network bullet “Do not listen on interfaces whose IP..” and ensure

the Remove from List box is empty. 8) Click Save. 9) Verify the COMPOSE Domain Controller contains the correct HBSS DNS entry.

3.2.17 ISA Server (DC02) cannot communicate with HBSS Issue: ISA Server (DC02) cannot communicate with HBSS to pull policy updates. Cause: CND-OSE IP addresses are being blocked by the ISA server (DC02). Solution: Add CND-OSE IP addresses to ISA server (DC02).

1) Access the ISA server (DC02) and log in as an administrator. 2) Navigate to StartISA Server Management. 3) Using the ISA tree on the left-hand side, navigate to

<Domain>ConfigurationNetworks. 4) Click the Networks tab. 5) Double-click the Internal network to launch the Internal Properties window. 6) Click the Addresses tab. 7) Click the Add Range button. 8) Add a range to cover ESX, ACAS-Scanner, and HBSS. 9) Click OK.

3.2.18 HBSS VM is running extremely slow (100% CPU usage) Issue: HBSS VM is running extremely slow (100% CPU usage). Cause: EventParser service on HBSS is using 100% of the CPU. Solution: Delete and recreate the c:\Program Files\McAfee\ePolicy Orchestrator\DB\Events directory.

1) Log into the HBSS VM as an administrator. 2) Open Services: StartAdministrative ToolsServices. 3) Find the McAfee ePolicy Orchestrator 4.5.0 Event Parser service, right-click, and

select Stop. 4) Delete C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events. 5) Recreate C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events. 6) Back in Services, start McAfee ePolicy Orchestrator 4.5.0 Event Parser service.

3.2.19 DLP Outlook add-in causes Microsoft Outlook error

Issue: Outlook fails to start the McAfee DLP outlook add-in and generates the following error message:




“Outlook experienced a serious problem with the mcafee dlp outlook addin add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?”

If Yes is clicked, the DLP add-in is disabled by Microsoft Outlook.

Cause: If the Outlook process is closed while the DLP add-in is processing content, Outlook analyzes it and determines it to be a problematic add-in. Solution: To enable the DLP outlook add-in in Microsoft outlook 2002/2003:

1) Click the Help menu and select About Microsoft Office Outlook. 2) Click the Disabled Items, then select the mcafee dlp outlook add-in and click Enable.

To enable the DLP outlook add-in in Microsoft outlook 2007:

1) Click the Help menu and select Disabled Items. 2) Select the mcafee dlp outlook add-in and click Enable.

McAfee Knowledge Base Reference: https://kc.mcafee.com/corporate/index?page=content&id=KB59774&actp=search&viewlocale=en_US&searchid=1282769629583

3.2.20 NCDOC Roll-up is failing Issue: NCDOC Roll-up is failing Potential Cause #1: MSSQL traffic is being blocked from passing-through the HBSS VM. Solution: Allow MSSQL traffic to pass-through the HBSS VM.

1) Within the HBSS VM login as an administrator. 2) Open StartAdministrative ToolsServices. 3) Double-click Routing and Remote Access. 4) Change Startup type to Automatic and click Apply. 5) Click Start and click OK. 6) Close the Services window. 7) Open, StartAdministrative ToolsRouting and Remote Access. 8) Navigate to Routing and Remote AccessHBSS (local)IP RoutingNAT/Basic

Firewall. 9) Right-click and select New Interface. 10) Select External and click OK. 11) Select Public interface connected to the Internet.






12) Check Enable NAT on this interface. 13) Click the Services and Ports tab. 14) At the bottom of the list check MSSQL and click OK. 15) Close Routing and Remote Access window.

Potential Cause #2: Certificate is not loaded into MSSQL Solution: Verify the certificates are loaded and forced encryption is enabled

1) Shutdown the HBSS VM. 2) Log into MSSQL VM as an administrator. 3) Disable McAfee HIPs IPS, Firewall, and Application policies. 4) Navigate to StartAll ProgramsMicrosoft SQL Server 2005Configuration

ToolsSQL Server Configuration Manager. 5) Right-click SQL Server 2005 Network ConfigurationProtocols for

MSSQLSERVER and select Properties. 6) Change Force Encryption to Yes, select the Certificate tab, in the Certificate drop

box select the MSSQL certificate and click OK. Click OK to the warning message. 7) Close the SQL Server Configuration Manager window.

8) Double-click services on the desktop and restart the service SQL Server (MSSQLSERVER).

9) If prompted, click Yes to restart the SQL Server Agent. 10) Restart the HBSS VM. 11) Lock the McAfee HIPs interface and close the interface program.




3.2.21 COMPOSE 4.x TMG Server “blue screens” after pushing HIPS Issue: After pushing HIPS, the COMPOSE 4.x TMG server “blue screens.” Solution: Remove the HIPS module.

1) Boot the TMG server into Safe Mode. 2) Disable the following services:

• McAfee HIPSCore Service • McAfee Host Intrusion Prevention Service • McAfee Validation Trust Protection Service

3) Reboot the TMG server. 4) Once the server finishes rebooting, login as an administrator. 5) Click StartRun and type in cmd 6) At the command prompt type:

msiexec /x{B332732A-4958-41DD-B439-DDA2D32753C5}

7) Click Yes at the Windows Installer prompt. 8) Observe the removal of the HIPS module.

3.2.22 Cannot Remove the Default ePO key Issue: Administrator cannot delete the default ePO key. Solution: Manually remove the key from the HBSS VM. Warning: The Administrator may want to backup the HBSS and MSSQL VM or the keystore file before deleting the key.

1) Log into the HBSS VM as an administrator. 2) Disable HIPS by right-clicking the McAfee Agent in the task bar. 3) Navigate to C:\Program Files\McAfee\ePolicy Orchestrator\DB\Keystore\slLegacy.zip 4) Delete the slLegacy.zip file.

3.2.23 Cannot Transfer Files Needed for Manual Deployment of McAfee Agent Issue: Cannot transfer the frame package created for manual deployment of the McAfee Agent. Cause: Local security policy differs between the host machine and the target machine. Solution 1: Temporarily set local security policy of target machine to match local security policy of host machine:




1) On the host machine (i.e. the machine that contains the files needed) make a note of the following Local Security Policy.

2) On the host machine navigate to the Local Security Policy (e.g., Control PanelAdministrative ToolsLocal Security Policy).

3) Navigate to Security SettingsLocal PoliciesSecurity Options. 4) Locate Network security: LAN Manager authentication level. 5) Make a note of the Security Settings. 6) On the target system, navigate to the Local Security Policy (e.g., Control

PanelAdministrative ToolsLocal Security Policy). 7) Navigate to Security SettingsLocal PoliciesSecurity Options. 8) Locate Network security: LAN Manager authentication level. 9) Ensure that the Security Settings set the same of the host machine. 10) Transfer McAfee Agent files as necessary. 11) Once files have been transferred, reset the Local Security Policy as necessary.

Solution 2: If transferring files from the HBSS VM, temporarily set local security policy of target machine to match local security policy of HBSS VM:

1) On the target machine navigate to the Local Security Policy (e.g., Control

PanelAdministrative ToolsLocal Security Policy). 2) Navigate to Security SettingsLocal PoliciesSecurity Options. 3) Ensure the Policy Network security: LAN Manager authentication level Security

Settings is Send NTLMv2 response only\refuse LM & NTLM. 4) Transfer McAfee Agent files from HBSS to the target machine as necessary. 5) Once files have been transferred, reset the Local Security Policy as necessary.

3.2.24 RSD Becomes Passive on Domain Controller Issue: The rogue sensor on the domain controller shows up as passive.

Solution 1: The RSD server configuration has been modified.

1) Log onto the ePO server. 2) Navigate to Menu Configuration Server Settings.




3) Under the Settings Categories column scroll downward to Rogue System Sensor. 4) Verify settings: Click Edit as needed and adjust the settings. In particular, verify the

settings for Sensors per subnet. Ensure that the maximum amount of sensors that will be active per subnet is set to All sensors active.

Solution 2: The reverse lookup record for the HBSS VM is missing. Request the system administrator to add a reverse lookup record for the HBSS VM. The steps provided below are to be used by the shipboard system administrator at his/her discretion.

1) Log onto the Domain Controller. 2) Launch the dnsmgmt (Start All Programs Administrative Tools DNS.lnk). 3) Expand the Reverse Lookup Zones and the subdirectories below. 4) To create a new pointer, right-mouse click in the window pan with all the pointers and

select New Pointer (PTR). 5) Type in the correct host IP number for HBSS VM and type in the correct host name. 6) Click OK. 7) Restart the rogue system sensor service on the domain controller by going to Services.

Right-mouse click on the McAfee Rogue System Sensor service and select Restart.

4 Tips, Tricks, and Issues with ACAS-scanner 4.1 Tips and Tricks

• Verify that the ESX server along with each virtual machine has synchronized the time with the ship. Problems may occur with pushing clients/patches if the times are different.

4.1.1 Additional Resources • DISA ACAS portal (NIPR):

https://east1.deps.mil/disa/cop/mae/netops/acas/SitePages/Home.aspx • DISA ACAS portal (SIPR):

https://east1.deps.mil/disa/cop/mae/netops/acas/SitePages/Home.aspx




http://www.intelink.sgov.gov/wiki/ACAS • Vender forums:

https://discussions.nessus.org

4.1.2 How to verify scan results contain all available hosts To determine all Internet Protocol (IP) addresses active on the network, review each switch’s interface, Virtual Router Redundancy Protocol (VRRP) and Address Resolution Protocol (ARP) table. The lists of IP addresses can be compared against the IP addresses reported by Assured Compliance Assessment Solution (ACAS) to verify all active addresses are reported. Note: The lists will not contain IPs of systems that are offline; the ARP table purges addresses after 5 minutes (default) of inactivity.

1) Login to each switch 2) Type: show ip interface and record the IP addresses 3) Type: show configuration snapshot vrrp and record the IP addresses 4) Type: show arp and record the IP addresses 5) Compare these list of IP addresses against ACAS’s list of IP addresses

BS1002u-4.1.4/> show ip interface Total 9 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- EMIO XXX.XXX.156.235 255.255.255.248 UP YES vlan 100 EMP XXX.XXX.1.1 255.255.255.0 DOWN NO EMP Loopback 127.0.0.1 255.0.0.0 UP NO Loopback Loopback0 XXX.XXX.156.99 255.255.255.255 UP YES Loopback0 u-DMZ2 XXX.XXX.156.94 255.255.255.248 UP YES vlan 6 u-MMS XXX.XXX.156.243 255.255.255.248 UP YES vlan 50 u-NMS XXX.XXX.156.131 255.255.255.224 UP YES vlan 4 u-SRVR XXX.XXX.156.3 255.255.255.192 UP YES vlan 3 u-SSIL1 XXX.XXX.156.67 255.255.255.240 UP YES vlan 20 BS1002u-4.1.4/> show configuration snapshot vrrp ! VRRP : VRRP 2 2 DISABLE VRRP 2 2 PRIORITY 110 PREEMPT INTERVAL 1 VRRP 2 2 ADDRESS XXX.XXX.156.113 VRRP 2 2 ENABLE VRRP 3 3 DISABLE VRRP 3 3 PRIORITY 100 PREEMPT INTERVAL 1 VRRP 3 3 ADDRESS XXX.XXX.156.1 VRRP 3 3 ENABLE VRRP 4 4 DISABLE VRRP 4 4 PRIORITY 110 PREEMPT INTERVAL 1 VRRP 4 4 ADDRESS XXX.XXX.156.129 VRRP 4 4 ENABLE

http://www.intelink.sgov.gov/wiki/ACAS

https://discussions.nessus.org/




BS1002u-4.1.4/> show arp Total 13 arp entries Flags (P=Proxy, A=Authentication, V=VRRP) IP Addr Hardware Addr Type Flags Port Interface Name -----------------+-------------------+----------+-------+--------+-----------+---------- XXX.XXX.156.2 00:e0:b1:ca:5c:48 DYNAMIC 2/24 vlan 3 XXX.XXX.156.20 00:0c:29:ed:96:3f DYNAMIC 2/24 vlan 3 XXX.XXX.156.21 00:0c:29:b7:85:89 DYNAMIC 1/1 vlan 3 XXX.XXX.156.22 00:50:56:8e:16:88 DYNAMIC 1/2 vlan 3 XXX.XXX.156.23 00:50:56:15:60:23 DYNAMIC 1/17 vlan 3 XXX.XXX.156.65 00:00:5e:00:01:14 STATIC PV UNKNOWN vlan 20 XXX.XXX.156.66 00:e0:b1:ca:5c:48 DYNAMIC 2/24 vlan 20 XXX.XXX.156.70 00:50:56:8e:29:dc DYNAMIC 1/6 vlan 20 XXX.XXX.156.74 00:0c:29:02:f6:3f DYNAMIC 2/24 vlan 20 XXX.XXX.156.75 00:0c:29:99:35:25 DYNAMIC 1/2 vlan 20 XXX.XXX.156.89 00:1b:d4:bb:07:51 DYNAMIC 2/13 vlan 6 XXX.XXX.156.113 00:00:5e:00:01:02 STATIC PV UNKNOWN vlan 2 XXX.XXX.156.114 00:e0:b1:ca:5c:48 DYNAMIC 2/24 vlan 2

4.1.3 How to determine available bandwidth to NOC Security Center To determine the current bandwidth available between the platform and Network Operations Center (NOC) Security Center (SC), download a file using wget.

1) Login to the ACAS-Scanner console 2) Type: wget --no-check-certificate https://[NOC Security Center IP]/speedcheck -e

use_proxy=yes -e https_proxy=proxy:8080 3) The speed will be reported as the download progresses. At anytime you may cancel the

download by pressing CTRL+C. 4) To remove the downloaded file type: rm speedcheck

[cndbackup@nessus2 ~]$ wget --no-check-certificate https://XXX.XXX.89.100/speedcheck -e use_proxy=yes -e https_proxy=proxy:8080 --2014-03-13 14:46:48-- https://XXX.XXX.89.100/speedcheck Connecting to XXX.XXX.89.100:443... connected. WARNING: cannot verify XXX.XXX.89.100's certificate, issued by `/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD JITC CA-21': Unable to locally verify the issuer's authority. WARNING: certificate common name `ACAS' doesn't match requested host name `XXX.XXX.89.100'. HTTP request sent, awaiting response... 200 OK Length: 1000000 (977K) [text/plain] Saving to: `speedcheck' 100%[======================================>] 1,000,000 59.7K/s in 16s 2014-03-13 14:47:05 (59.4 KB/s) - `speedcheck' saved [1000000/1000000]




4.1.4 How to check if Security Center is connecting to the Scanner SC checks into the Scanner every 15 minutes. The username used by the SC will be the scanner’s hostname. Reviewing the Scanner log will show if SC has logged in. If it has been more than 60 minutes since the last login, there is a communication issue or the SC is down.

1) Login to the ACAS-Scanner console 2) Type: sudo tail /opt/nessus/var/nessus/logs/nessusd.messages

[Fri Dec 6 23:00:06 2013][4428.1] [nessusd_www_server] successful login of 'acas-scanner.changeme.navy.mil' from XXX.XXX.89.100 via HTTPS using a SSL certificate [Fri Dec 6 23:00:06 2013][4428.1] [nessusd_www_server] User acas-scanner.changeme.navy.mil (XXX.XXX.89.100) successfully logged out

4.1.5 How to monitor Scanner plug-in updates Plug-in updates should be received from the SC on a weekly basis. Reviewing the Scanner log will show the process of the plug-in update. A complete plug-in update consists of 6 log entries. Entry 1 & 2 represent the package download from SC. Entry 3 & 4 is the plug-in package processed by the scanner and Entry 5 & 6 is the reloading of the scanner with new plug-ins.

1) Login to the ACAS-Scanner console 2) Type: sudo tail /opt/nessus/var/nessus/logs/nessusd.messages

[Mon Dec 23 07:51:42 2013][9825.1531482] nessus-update-plugins: started plugin update [Mon Dec 23 07:51:45 2013][9825.1531482] nessus-update-plugins: finished plugin update [Mon Dec 23 07:51:59 2013][9825.11] nessusd-reloader: Reloading nessusd because the plugins have been updated [Mon Dec 23 08:03:37 2013][9825.11] nessusd-reloader: Finished reloading nessusd [Mon Dec 23 08:06:30 2013][9825.1] Reloading the Nessus Web Server as nessusd was reloaded [Mon Dec 23 08:06:30 2013][9825.1] Nessus Web Server is running (pid=1533661)

4.2 Issues

4.2.1 Cannot Perform a Deep Scan Issue: ACAS-Scanner is not performing a credentialed scan. Solutions:

• Verify that the scan credential account exists on the systems being scanned and that the account has administrative access.

• Verify that ePO firewall is not blocking the ACAS-Scanner IP Address. Check your logs.




4.2.2 Cannot perform Deep Scans with UAC Enabled on Windows Vista, 7, 2008 Notes: The following guidance was provided by DISA as additional scanning procedures for User’s Access Control (UAC). Under no circumstances should the UAC be disabled on any workstation, non-server platform or 2008 or 2008R2 server. UAC is not optional for 2008 and 2008R2 servers and domain controllers. Issue: If there are issues scanning Windows 7, Windows 2008 Server, or some Windows Vista machines that have the UAC functionality enabled, follow the solution provided below. Please note that these issues are uncommon across all services and scanning entities. Solution:

• Scan from a Windows 7 or Windows 2008 machine. • Instruct the site to add the following registry key to their Windows 7, Vista, 2008 targets

it credentials are not accessing the scan targets - Hive: HKEY_LOCAL_MACHINE - Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System - Value: LocalAccountTokenFilterPolicy - Value Type: REG_DWORD - Value: 1

NOTE: This allows the local administrator account to receive the security token and scan like a domain admin account.

4.2.3 ACAS Scanner cannot login to switch during scans Issue: By default, the switch only allows the Network Management System (NMS) Virtual Local Area Network (VLAN) to access the ssh service. Solution: Update the Quality of Service (QoS) policy to allow ACAS Scanner access.

1) Login to each switch 2) Type: show configuration snapshot qos to view the current QOS policy 3) Type: qos disable 4) Type: qos apply 5) Type: policy network group u-SECSUITE [ACAS Scanner IP] 6) Type: policy condition SECSUITE_PERMIT source network group u-SECSUITE

destination network group u-NMS 7) Type: policy rule SECSUITE_PERMIT precedence 100 condition

SECSUITE_PERMIT action PERMIT 8) Type: qos enable 9) Type: qos apply




10) Type: show configuration snapshot qos to view the current QOS policy BS1001-u_v2.1.2/> show configuration snapshot qos ! QOS : policy network group u-NMS XXX.XXX.55.240 mask 255.255.255.240 policy condition FTP_DENY destination network group Switch destination tcp port 21 policy condition FTP_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 21 policy condition SNMP_DENY destination network group Switch destination tcp port 161 policy condition SNMP_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 161 policy condition SSH_DENY destination network group Switch destination tcp port 22 policy condition SSH_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 22 policy action DENY disposition deny policy action PERMIT policy rule FTP_PERMIT precedence 100 condition FTP_PERMIT action PERMIT policy rule SSH_PERMIT precedence 100 condition SSH_PERMIT action PERMIT policy rule SNMP_PERMIT precedence 100 condition SNMP_PERMIT action PERMIT policy rule FTP_DENY precedence 50 condition FTP_DENY action DENY policy rule SSH_DENY precedence 50 condition SSH_DENY action DENY policy rule SNMP_DENY precedence 50 condition SNMP_DENY action DENY qos apply BS1001-u_v2.1.2/> BS1001-u_v2.1.2/> qos disable BS1001-u_v2.1.2/> qos apply BS1001-u_v2.1.2/> policy network group u-SECSUITE XXX.XXX.55.210 BS1001-u_v2.1.2/> policy condition SECSUITE_PERMIT source network group u-SECSUITE destination network group u-NMS BS1001-u_v2.1.2/> policy rule SECSUITE_PERMIT precedence 100 condition SECSUITE_PERMIT action PERMIT BS1001-u_v2.1.2/> qos enable BS1001-u_v2.1.2/> qos apply BS1001-u_v2.1.2/> show configuration snapshot qos ! QOS : policy network group u-NMS XXX.XXX.55.240 mask 255.255.255.240 policy network group u-SECSUITE XXX.XXX.55.210 policy condition FTP_DENY destination network group Switch destination tcp port 21 policy condition FTP_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 21 policy condition SECSUITE_PERMIT source network group u-SECSUITE destination network group u-NMS policy condition SNMP_DENY destination network group Switch destination tcp port 161 policy condition SNMP_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 161 policy condition SSH_DENY destination network group Switch destination tcp port 22 policy condition SSH_PERMIT source network group u-NMS destination network group u-NMS destination tcp port 22 policy action DENY disposition deny policy action PERMIT




policy rule FTP_PERMIT precedence 100 condition FTP_PERMIT action PERMIT policy rule SSH_PERMIT precedence 100 condition SSH_PERMIT action PERMIT policy rule SNMP_PERMIT precedence 100 condition SNMP_PERMIT action PERMIT policy rule SECSUITE_PERMIT precedence 100 condition SECSUITE_PERMIT action PERMIT policy rule FTP_DENY precedence 50 condition FTP_DENY action DENY policy rule SSH_DENY precedence 50 condition SSH_DENY action DENY policy rule SNMP_DENY precedence 50 condition SNMP_DENY action DENY qos apply BS1001-u_v2.1.2/>

4.2.4 ACAS Scanner cannot login to router during scans Issue: By default the router only allows the NMS VLAN to access the ssh service. Solution: Update the access class to allow ACAS Scanner access.

1) Login to the router 2) Type: en 3) Type: show run | begin line vty to determine the access class

NOTE: record the access class # (2 in example below)

4) Type: show access-list 2 to view the access class

NOTE: record the first deny line # (20 in example below)

5) Type: config t 6) Type: ip access-list standard 2 7) Type: XX permit [ACAS Scanner IP] 0.0.0.0 log

NOTE: Replace XX with a line number above the first deny

8) Type: exit 9) Type: copy running-config startup-config 10) Type: exit

57DV1-u_v4.1.5#sh run | begin line vty line vty 0 4 access-class 2 in login authentication server_list transport input ssh ! scheduler allocate 20000 1000 end




57DV1-u_v4.1.5#sh access-list 2 Standard IP access list 2 10 permit XXX.XXX.100.0, wildcard bits 0.0.0.255 log (1238 matches) 20 deny any log 57DV1-u_v4.1.5#conf t Enter configuration commands, one per line. End with CNTL/Z. 57DV1-u_v4.1.5(config)#ip access-list standard 2 57DV1-u_v4.1.5(config-std-nacl)#11 permit XXX.XXX.200.200 0.0.0.0 log

4.2.5 Report includes hosts that are no longer on the network* Issue: Reports are using old data from the repository that contains hosts that are no longer on the network.

* This does not apply to reports generated with CMRS or Vulnerability Remediation Asset Manager (VRAM).

Solution: Re-scan the IP addresses removing vulnerabilities for inactive hosts.

1) Note the IP addresses of the hosts to remove 2) Log into Security Center 3) Navigate to ScanningScans and click Add

a) Enter a Name b) Schedule for Now c) Import Repository is <Ship hull>_v4 d) Enter the IP addresses to remove into the Targets

4) Click Next 5) Select Discovery for Scan Type Policy and click Next 6) In Post Scan Processing select Now for Remove vulnerabilities from scanned hosts that

have been inactive for and click Submit

All hosts that do not respond will be removed from the repository.

4.2.6 SCAP scanning returns no results Issue: Security Content Automation Protocol (SCAP) scans take a very long time to complete and return zero results. Cause: The SCAP plug-in is either not supported by the scanner and/or the Host Based Security System (HBSS) policy is blocking the SCAP executable. Solution:




Ensure the scanner is at or above version 5.2

1) Login to the ACAS-Scanner console 2) Type: sudo /opt/nessus/sbin/nessusd --version

Contact the HBSS administrator and ensure the HBSS Policy on the hosts being scanned do not block, C:\Windows\Temp\tenable_ovaldi_3ef350e0435440418f7d33232f74f260.exe

4.2.7 HBSS Policy fails to import stating invalid or read only policies Issue: While importing a policy into the ePolicy Orchestrator (ePO) server, an “Import Policy Error” pops up stating the policy is invalid or contains read only policies.

Cause: The most likely cause for this issue is that the policy is for a module that is not installed on the ePO Server. Solution: For ACAS, the only policies provided are Host Intrusion Prevention System (HIPS) 7.0, 8.0 and VirusScan for Linux 1.7. Review the CND-OSE 1.3 Site Configuration Guide section Prerequisite: VSE for Linux 1.7 for directions to install the module.

4.2.8 HBSS fails to install deployment task modules Issue: HBSS Agent is installed on the ACAS-scanner and is communicating with the ePO server but is unable to complete the deployment task to install HIPS, Policy Auditor, etc. Cause: Most likely the agent got mixed up in its processing of tasks either due to a reboot or network glitch. Solution: First, ensure the ACAS-scanner has been rebooted and another wake-up call from ePO has been preformed to try to jump start the deployment. If the module deployment continues to fail, remove the McAfee Agent and perform the McAfee Agent installation process again.




1) Login to the ACAS-Scanner console 2) Type: sudo rpm --erase MFEcma 3) Type: sudo rpm --erase MFErt 4) If the agent installation files still exist inside /home/cnd-b

a) Type: sudo sh /home/cnd-b/install.sh -i 5) Return to the ACAS Scanner Site Configuration Guide and complete the section, HBSS on

ACAS-Scanner VM, to install the Agent again.

4.2.9 BackupExec Server fails to connect to BackupExec Agent on ACAS-scanner Issue: When checking the box for ACAS-scanner, the popup Failed to log on to: ACAS-scanner continually pops up.

Cause: This could be one of two issues:

• The be_user account credentials do not match on the BackupExec Server and ACAS-scanner VM.

• The firewall on the ACAS-scanner VM is blocking communication.

This solution will address the account credential issue. The firewall issue will be addressed in section BackupExec Agent reports errors during installation if necessary.

Solution: Verify the credentials match for the be_user account on the ACAS-scanner VM and the be_user account on the BackupExec Server.

1) Log into the COMPOSE Exchange Server or the server hosting Symantec BackupExec 2010.

2) Navigate to StartAll ProgramsSymantec Backup ExecBackup Exec 2010. 3) From the top menu bar select NetworkLogon Accounts. 4) Highlight the be_user account and click Edit.




5) Click Change Password enter the new password and click OK. 6) Click OK on the Edit Logon Credentials window. 7) Click OK on the Logon Account Management window. 8) Login to the ACAS-scanner console 9) Type: sudo /root/configure.sh 10) Select 9 – User Management Menu and press enter. 11) Select 3 – Reset OS User Password and press enter. 12) Select the be_user account and press enter confirm Y to change the password. 13) Enter the new password. 14) If the credentials have been verified and the logon failure popup continues, follow the

solution outlined in section BackupExec Agent reports errors during installation to verify the firewall.

4.2.10 BackupExec Agent reported Failed during installation Issue: During the BackupExec Agent installation errors are reported:

ping: unknown host mail

Cause: During the BackupExec Agent installation the DNS name ‘mail’ failed to resolve an IP Address. Solution: Verify the firewall rule is missing and manually add the BackupExec Agent firewall rule.

1) Login to the ACAS-scanner console 2) Type: sudo /sbin/iptables –L INPUT –n --line-numbers




[cnd-b@acas-scanner ~]$ sudo /sbin/iptables -L INPUT -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 BOGON_DROP_RULE all -- 192.168.90.15 0.0.0.0/0 state NEW 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW 4 SSH_ACCESS_RULE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 22,25,80,443,465,587,993,995 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 443,591,8834,1243 state NEW 7 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 8 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 14 9 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 state NEW 10 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 code 0 state NEW 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 code 0 state NEW 12 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 0 state NEW 13 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 1 state NEW 14 ACCEPT all -- 192.168.90.15 0.0.0.0/0 state NEW 15 DEFAULT_DENY_RULE all -- 0.0.0.0/0 0.0.0.0/0 state NEW 16 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

3) If line 7 is: DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13

Proceed to step 5.

4) If line 7 is:

ACCEPT tcp -- X.X.X.X 0.0.0.0/0 tcp multiport dports 10000,11001:11026 state NEW

Remove the rule type: sudo /sbin/iptables -D INPUT 7

5) Determine the IP address of the BackupExec Server (commonly the Primary Exchange Server).

6) Add the rule type: sudo /sbin/iptables -I INPUT 7 -p tcp -s [BACKUPEXEC SERVER IP] -m tcp -m multiport --dports 10000,11001:11026 -m state --state NEW -j ACCEPT

7) Save the firewall changes type: sudo /sbin/service iptables save

4.2.11 Backup of ACAS-scanner Completes with Exceptions Issue: The backup of ACAS-scanner reports the job completed successfully. However, files were skipped.




Cause: BackupExec Agent failed to open a file for backup because it was in use by a process. Solution: This most likely is an active file used by HBSS and can be ignored as it will not be needed during system recovery. If the file in question is not under \[ROOT]/opt/McAfee on the ACAS-Scanner VM it is not HBSS related, contact ISEA with the file path provided in the Job SummaryExceptions section.

5 Tips, Tricks, and Issues with MSSQL 5.1 Issues

5.1.1 MSSQL Maintenance Plan Fails Issue: The maintenance plan on the MSSQL database fails to complete with the error message:

Executing the query "DBCC CHECKDB WITH NO_INFOMSGS" failed




Detailed log review displays this error message:

Executing the query "ALTER INDEX [IX_EPOAgentHandlerDataChannelWQAttempts_GetCleanupList] ON [dbo].[EPOAgentHandlerDataChannelWQAttempts] REORGANIZE WITH ( LOB_COMPACTION = ON ) " failed with the following error: "The index "IX_EPOAgentHandlerDataChannelWQAttempts_GetCleanupList" (partition 1) on table "EPOAgentHandlerDataChannelWQAttempts" cannot be reorganized because page level locking is disabled.". Possible failure reasons: Problems with the query, "ResultSet" property not set correctly, parameters not set correctly, or connection not established correctly.

Solution: Enable page level locking on all indexes with the sql commands:

DBCC UPDATEUSAGE('ePO4_HBSS') use ePO4_HBSS SET NOCOUNT ON DECLARE @DBName nvarchar(150), @INName nvarchar(150) DECLARE @ODBName nvarchar(150), @OINName nvarchar(150) Declare @execstr nvarchar(1200) --PRINT '-------- Vendor Products Report --------' DECLARE Index_cursor CURSOR FOR Select A.Name as InName,ob.Name as DBName from sys.indexes A left outer join sys.objects ob on ob.object_id=A.Object_id where allow_page_locks=0 and ob.type='U' -- Select only allow_page_locks 0 and User Tables OPEN Index_cursor FETCH NEXT FROM Index_cursor INTO @INName, @DBName WHILE @@FETCH_STATUS = 0 BEGIN PRINT @DBName +' ' + @INName --PRINT @INName SET @ODBName = ltrim(rtrim(@DBName)) SET @OINName = ltrim(rtrim(@INName)) SELECT @execstr = 'ALTER INDEX '+@OINName+ ' ON '+ @ODBName+' SET (ALLOW_PAGE_LOCKS = ON)'; EXEC (@execstr); FETCH NEXT FROM Index_cursor INTO @INName, @DBName END




CLOSE Index_cursor DEALLOCATE Index_cursor

6 Tips, Tricks, and Issues with Backups Issue: There are no backups listed when using the restore command. Solution:

• When there are no backups listed either the backup is currently being processed or the backup has failed. Review the logs to determine if the backups are being processed:

1) Type tail /var/log/backup.log

Sample of incomplete or in process backup:

CND-IATS Backup Script v1.7 -- 2009-02-18 14:21:59 Using Tape Drive. Current VM: MSSQL - 2009-02-18 14:21:59 VM Path: /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL 2009-02-18 14:22:00 Creating MSSQL Snapshot. 2009-02-18 14:22:02 Compressing and Encrypting [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/*-flat.vmdk] to [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz]. 2009-02-18 15:15:39 Removing MSSQL snapshot. 2009-02-18 15:16:22 Copying Encrypted VM to Tape. 2009-02-18 15:16:22 Copying /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz to tape.

2) Check the time when the last entry was made by typing ‘tail –n 30 /var/log/backup.log | more’. This will list older entries. This way you can compare times of earlier successful backups to get an idea of how long the backups should be taking.




tail /var/log/backup.log sample of complete tape backup

CND-IATS Backup Script v1.7 -- 2008-12-04 00:30:02 Using Tape Drive. Current VM: MSSQL - 2008-12-04 00:30:02 VM Path: /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL 2008-12-04 00:30:02 Creating MSSQL Snapshot. 2008-12-04 00:30:05 Compressing and Encrypting [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/*-flat.vmdk] to [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz]. 2008-12-04 01:19:51 Removing MSSQL snapshot. 2008-12-04 01:19:54 Copying Encrypted VM to Tape. 2008-12-04 01:19:54 Copying /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz to tape. Backup Tape: A0000001 Tape File: 32646083 2008-12-04 01:31:45 Removing encrypted file: MSSQL.aes.tgz

3) The backup process can be monitored while it is running. First list the running backup processes ‘ps xfw | grep –P ‘backup|tar’’. From the list of processes look for the ‘—checkpoint 2’ entry and the file path which follows. This file can then be monitored with ‘tail /tmp/MSSQL.backup.status’ to display the checkpoint. Each subsequent ‘tail /tmp/MSSQL.backup.status’ will have increasing checkpoints.

4) Optional: If you want to compute the progress of the backup: a. Obtain the filesize. To get the backup file size look at the

processes for the file path containing .aes.tgz and list the size, ‘ls -l /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz’

b. Divide the checkpoint number by the filesize by 10240 and multiply by 100.

ps xfw | grep –P ‘backup|tar’ – sample of a running backup

17509 tty1 S 0:00 \_ /usr/bin/perl /usr/local/bin/backup -encrypt -system=mssql 27179 tty1 S 0:00 \_ sh -c tar cvPfM /dev/nst0 /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz /tmp/padding --new-volume-script=changetape --checkpoint 2> /tmp/MSSQL.backup.status 27180 tty1 S 0:05 \_ tar cvPfM /dev/nst0 /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz /tmp/padding --new-volume-script=changetape --checkpoint 30472 tty2 S 0:00 \_ grep -P tar|backup

tail /tmp/MSSQL.backup.status – sample of backup progress

tar: Write checkpoint 2033620 tar: Write checkpoint 2033630 tar: Write checkpoint 2033640 tar: Write checkpoint 2033650 tar: Write checkpoint 2033660

start time of MSSQL backup

end time of MSSQL backup; therefore the backup completed in about one hour.

Checkpoint number




tar: Write checkpoint 2033670 tar: Write checkpoint 2033680 tar: Write checkpoint 2033690 tar: Write checkpoint 2033700 tar: Write checkpoint 2033710

5) If a backup has failed, it may become a stale process and lock up the tape drive causing

future backups to fail. If this is the case, a system reboot will be necessary to recover. To check if a backup has failed list the processes, ‘ps xfw | grep –P ‘backup|tar’’, if in the third column of one of the processes has a ‘D’ the backup has stalled and the system will need to be restarted to recover.

ps xfw | grep –P ‘backup|tar’ – sample of a failed backup

17509 tty1 S 0:00 \_ /usr/bin/perl /usr/local/bin/backup -encrypt -system=mssql 27179 tty1 S 0:00 \_ sh -c tar cvPfM /dev/nst0 /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz /tmp/padding --new-volume-script=changetape --checkpoint 2> /tmp/MSSQL.backup.status 27180 tty1 D 0:05 \_ tar cvPfM /dev/nst0 /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz /tmp/padding --new-volume-script=changetape --checkpoint 30472 tty2 S 0:00 \_ grep -P tar|backup This is an example output of a complete backup.

tail /var/log/backup.log – sample of complete tape backup CND-IATS Backup Script v1.7 -- 2008-12-04 00:30:02 Using Tape Drive. Current VM: MSSQL - 2008-12-04 00:30:02 VM Path: /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL 2008-12-04 00:30:02 Creating MSSQL Snapshot. 2008-12-04 00:30:05 Compressing and Encrypting [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/*-flat.vmdk] to [/vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz]. 2008-12-04 01:19:51 Removing MSSQL snapshot. 2008-12-04 01:19:54 Copying Encrypted VM to Tape. 2008-12-04 01:19:54 Copying /vmfs/volumes/488e1036-292667a0-ec0a-001b78921c22/MSSQL/MSSQL.aes.tgz to tape. Backup Tape: A0000001 Tape File: 32646083 2008-12-04 01:31:45 Removing encrypted file: MSSQL.aes.tgz 2008-12-04 01:31:46 Backup of MSSQL Complete ------------------------2008-12-04 01:31:47------------------------




7 Miscellaneous Tips/Tricks/Issues 7.1 KVM USB / PS/2 Mode The KVM used by CND-IATS has USB and PS/2 modes. Only the PS/2 mode works. If the KVM led indicates USB mode is active, pressing Fn + T keys simultaneously for seven seconds will toggle the mode between USB and PS/2.

8 Useful Troubleshooting Commands 8.1 Net Use Overview: Net use command connects/disconnects the computer from a shared resource, or allows a user to view the information about current computer connections. This command also can control persistent network connections. If you use net use command without any parameters, this will retrieve a list of network current connections. How Authentication Works for Net Use Command: When you use the NET USE command to connect to a share on a server in a domain, the following authentication process verifications take place:

• If the client's user name is in the domain's UAS account database, the passwords are compared. If the passwords match, access is allowed to the share. If the passwords do not match, an access denied message is returned.

The behavior allows for backward compatibility with Windows for Workgroups and other clients. These clients do not pass the domain name to the Server.

• If the client's user name does not match a user name in the domain's UAS, the domain

controller checks to see if the client's domain is listed in its trust list. If the client's domain name is on the target domain's trust list, the domain controller communicates with the other domain to see if the client's user account and password are valid. If so, access is allowed to the share. If not, an access denied message is returned.

8.1.1 Net use command syntax:

net use [{DEVICE | *}] [\\COMPUTER\SHARE[\VOL]] [{PASSWORD | *}]] [/USER:[DOMAIN\]USER] [/USER:[DOTTEDDOMAIN\]USER] [/USER: [USER@DOTTEDDOMAIN] [/SAVECRED] [/SMARTCARD] [{/DELETE | /PERSISTENT:{yes | no}}]

net use [DEVICE [/HOME[{PASSWORD | *}] [/DELETE:{yes | no}]]

net use [/PERSISTENT:{yes | no}]

8.1.2 Net use command parameters: • DEVICE: Assigns a name to connect to the resource or specifies the device to be

disconnected. There are two kinds of device names: disk drives (that is, D: through Z:)




and printers (that is, LPT1: through LPT3:). Type an asterisk (*) instead of a specific device name to assign the next available device name.

• \\COMPUTER\SHARE: Specifies the name of the server and the shared resource. If

COMPUTER contains spaces, use quotation marks around the entire computer name from the double backslash (\\) to the end of the computer name (for example, "\\Computer Name\Share Name"). The computer name can be from 1 to 15 characters long.

• \VOL: Specifies a NetWare volume on the server. You must have Client Service for

NetWare installed and running to connect to NetWare servers.

• PASSWORD: Specifies the password needed to access the shared resource. Type an asterisk (*) to produce a prompt for the password. The password is not displayed when you type it at the password prompt.

• /USER : Specifies a different user name with which the connection is made

• DOMAIN: Specifies another domain. If you omit DOMAIN, net use uses the current

logged on domain.

• USER: Specifies the user name with which to log on.

• DOTTEDDOMAIN: Specifies the fully-qualified domain name for the domain where the user account exists.

• /SAVECRED: Stores the provided credentials for reuse.

• /SMARTCARD: Specifies the network connection is to use the credentials on a smart

card. If multiple smart cards are available, you are asked to specify the credential.

• /DELETE: Cancels the specified network connection. If you specify the connection with an asterisk (*), all network connections are canceled.

• /PERSISTENT: {yes | no} : Controls the use of persistent network connections. The

default is the setting used last. Deviceless connections are not persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /DELETE to remove persistent connections.

• /HOME: Connects a user to the home directory.

• net help command : Displays help for the specified net command.




8.1.3 Net use command Remarks: Use net use to connect to and disconnect from a network resource, and to view your current connections to network resources. You cannot disconnect from a shared directory if you use it as your current drive or an active process is using it.

a. Viewing connection information To view information about a connection, you can do either of the following: • Type net use DEVICE to get information about a specific connection. • Type net use to get a list of all the computer's connections. • Using deviceless connections; Deviceless connections are not persistent. • Connecting to NetWare servers; After you install and run Client Service for

NetWare, you can connect to a NetWare server on a Novell network. Use the same syntax that you use to connect to a Windows Networking server, except you must include the volume you to which you want to connect.

• Using quotation marks; If the ServerName that you supply contains spaces, use quotation marks around the text (that is, "SERVER"). If you omit quotation marks, an error message appears.

8.1.4 Net use Command examples • To assign the disk-drive device name E: to the Letters shared directory on the \\Fin

server, type: net use e: \\fin\letters

• To assign (map) the disk-drive device name M: to the directory Mike within the Letters volume on the \\Fin NetWare server, type:

net use m: \\fin\letters\mike • To connect the user identifier Dan as if the connection were made from the Accounts

domain, type: net use d:\\server\share /USER:Accounts\Dan

• To disconnect from the \\Fin\Public directory, type: net use f: \\fin\public /DELETE

• To connect to the resource memos shared on the \\Fin 3 server, type: net use k: "\\fin 3" \memos

• To restore the current connections at each logon, regardless of future changes, type: net use /PERSISTENT:yes

8.2 Nslookup Overview: Nslookup.exe is a command-line administrative tool for testing and troubleshooting DNS servers. nslookup is used to query DNS servers to find DNS details, including IP addresses of a particular computer. The name nslookup means "name server lookup".

8.2.1 Nslookup Command Syntax • Lookup the ip address of MyHost: NSLOOKUP [-option] MyHost




• Lookup ip address of MyHost on MyNameServer: NSLOOKUP [-option] MyHost MyNameServer • Enter "command mode": NSLOOKUP

Command Mode options: • help or ? - print a list of Command Mode options • exit or ^C - exit "command mode" • set all - print options, current server and host • finger [USER] - finger the optional NAME at the current default host • MyHost - print ip address of MyHost • MyHost MyNameServer - print ip address of MyHost on MyNameServer • set [no]debug - print debugging info • set [no]d2 - print exhaustive debugging info • set domain=NAME - set default domain name to NAME • set root=NAME - set root server to NAME • root - set current default server to the root • server NAME - set default server to NAME, using current default server • lserver NAME - set default server to NAME, using initial server • set srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1, N2,... • set retry=X - set number of retries to X • set timeout=X - set initial time-out interval to X seconds • set [no]defname - append domain name to each query • set [no]recurse - ask for recursive answer to query • set [no]search - use domain search list • set [no]vc - always use a virtual circuit • set class=X - set query class (for example, IN (Internet), ANY) • set [no]msxfr - use MS fast zone transfer • set ixfrver=X - current version to use in IXFR transfer request • set type=X - set query type • set querytype=X - set query type

(e.g. A, ANY, CNAME, MX, NS, PTR, SOA, SRV) • ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN

(and optionally output to FILE) • -d - list all records • -t TYPE - list records of the given Type (for example, A, CNAME, MX,

NS, PTR, and so on) • -a - list Aliases and canonical names. • view FILE - sort an 'ls' output file and view it with pg




8.2.2 Nslookup Command examples

Nslookup <ip address>

8.3 Remote Desktop Remote Desktop (mstsc.exe) is a command-line administrative tool for gaining remote access. StartRun and type: mstsc /v:<computer name or ip address>




9 3rd Party Tools 9.1 PSEXEC Overview: PSEXEC is a command-line tool that lets you execute processes on remote systems and redirect console application output to the local system so that these applications appear to be running locally. Uses: With issues pushing the HBSS agent to install on remote systems, administrators can create an installation package (i.e. exporting the Framepkg.exe from the ePO Console) and push it out via PSEXEC.

9.1.1 Pushing out HBSS agents via PSEXEC To install the ePO installation package with PSEXEC:

Create Frame Package:

1) Log into the ePO console as an administrator. 2) Click System Tree. 3) Click the button System Tree ActionsNew Systems. 4) Under How to add systems select Create and download agent installation package. 5) Uncheck Use Credentials (this is not supported with DISA HBSS package). 6) Click OK. 7) Right-click FramePkg, select Save Target As, and save to My Documents. 8) Click Close.

Install Framepkg with PSEXEC: 1) Copy both psexec.exe (C:\Program Files\PSTools) and the installation package

(FramePkg.exe) to a remote system. 2) Login to the remote system as an administrator. 3) Open a cmd window, StartRun, type cmd, and click OK. 4) Change to the directory where psexec and installation package are located. 5) Select one of the following three options depending on your situation.

a. Enter this command to install to all systems within the domain:

psexec \\* -u DOMAIN\USERNAME –s –c –f –d framepkg.exe

b. Enter this command to install to one computer:

psexec \\COMPUTERNAME -u DOMAIN\USERNAME –s –c –f –d framepkg.exe

c. Enter this command to install to a list of computer names contained in a file:




psexec @File -u DOMAIN\USERNAME –s –c –f –d framepkg.exe

* The list should have one computer name per line. A list of computers can be exported from the Active Directory Users and Computers.

9.1.2 PSEXEC Syntax Syntax: psexec \\computer[,computer[,..] [options] command [arguments] psexec @run_file [options] command [arguments] Options:

• computer - The computer on which psexec will run command. Default = local system; To run against all computers in the current domain enter "\\*"

• @run_file - Run command on every computer listed in the text file specified.

• command - Name of the program to execute

• arguments - Arguments to pass (file paths must be absolute paths on the target system) Switches: Switches Description -a n,n,... Set processor affinity to n. Processors are numbered as 1,2,3,4 etc

For example: To run the application on CPU 2 and CPU 4, enter: "-a 2,4"

-c -f Copy even if the file already exists on the remote system. -c -v Copy only if the file is a higher version or is newer than the

remote copy. -c Copy the specified program to the remote system for execution. If

you omit this option then the application must be in the system's path on the remote system.

-d Don't wait for application to terminate. Only use this option for non-interactive applications.

-e Load the user account's profile, don't use with the system account -f Copy the specified program to the remote system even if the file

already exists on the remote system. -i Interactive - Run the program so that it interacts with the desktop

on the remote system. -l Limited - Run process as limited user. Only allow privs assigned

to the Users group.




-low, -belownormal, -abovenormal, -high or –realtime

These options will run the process at a different priority.

-n Specify a timeout s seconds for connecting to the remote computer.

-p Specify a password for user (optional). Passed as clear text; If omitted, you will be prompted to enter a hidden password.

-s Run remote process in the System account. -u Specifies optional user name for login to remote computer. -x Display the UI on the Winlogon desktop (local system only). Additional Uses: PSEXEC can also be used to start GUI applications, but in that case the GUI will appear on the remote machine. Input is passed to the remote system when you press the enter key - typing Ctrl-C will terminate the remote process. When you specify a username the remote process will execute in that account, and will have access to that account's network resources. If you omit username, the remote process will run in the same account from which you execute PSEXEC, but because the remote process is impersonating it will not have access to network resources on the remote system. PSEXEC does not require you to be an administrator of the local filesystem this can allow UserA to run commands as UserB - a Runas replacement.

9.1.3 PSEXEC Examples Launch an interactive command prompt on \\workstation64:

psexec \\workstation64 cmd

Execute IpConfig on the remote system, and display the output locally:

psexec \\workstation64 ipconfig /all

Copy the program test.exe to the remote system and execute it interactively:

psexec \\workstation64 -c test.exe

Execute a program that is already installed on the remote system:

psexec \\workstation64 "c:\Program Files\test.exe"

Run Internet Explorer on the local machine but with limited-user privileges:

psexec -l -d "c:\program files\internet explorer\iexplore.exe"

http://www.ss64.com/nt/runas.html




For full details on PSEXEC usage see: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Date post:	10-Feb-2018
Category:	Documents
Upload:	dinhngoc
View:	309 times
Download:	18 times