Subtitled… okay MBSA 2.0 is closer…but I STILL cannot consistently scan my domain worth a darn…..


Okay so we already heard from a poster that he used a dll exclusion in the firewall…



So we went back into our Small business server firewall settings… and clicked on “define program exceptions”



And then on “Show” and added an exclusion exactly like this:  %WINDIR%\SYSTEM32\dllhost.exe:10.0.0.2:Enabled:WSUS Port so that it ended up looking like that:


 


(Remember I’m still on that old fashioned SBS IP addressing that we used to use in the 4.0 days)  And now… on those workstations that are checking into the MBSA console..they are properly scanning the patch status… but I still do not have a consistent scan-ability of the network.  Even when I added the extra RPC connectivity allowance like Level Platforms needs.


I’m still getting way too much of this error on some of the workstations…an  then I’ll scan again and won’t get it for those same workstations…. I am scanning by netbios domain name… so why isn’t this still working?  Or I should say…consistently working?










Why am I seeing error “Could not resolve the computer name: name. Please specify computer name, domain\computer, or an IP address.”?
A.

This error is common when scanning based on an IP address range. This is because MBSA will convert the range into a list of specific IP addresses for that range and attempt to resolve each IP address into the associated NetBIOS computer name. When that name resolution cannot be performed because the computer is switched off, or the IP address is not in use, this error will be returned.


The error can also happen when using a domain name of domain members are not accessible on the network, such as a laptop computer roaming outside the wireless network, or a desktop computer that has been shut down.


If you specify a DNS fully qualified domain name (FQDN) as the domain to be scanned, you will also see these errors. In that case, you need to use the NetBIOS compatible domain name.


But I’m not.. I DID put in the netbios based domain name…. and I kid you not.. many of the people I talk to say that they tried MBSA 2.0… couldn’t get consistent scanning results… got frustrated and dropped using it…. because they too couldn’t get it to scan through the firewall.


But this reminds me of an email thread I had today with a guy about keeping “some” network goo… as a balance between security and that managability that I need to have ….as while Dr. Jesper Johansson is talking about Server and Domain Isolation techniques… I’m sitting here poking holes in the firewall and knocking off the Strict RPC compliance in ISA server because I want…. no… I NEED to have managability of the network.  I NEED to have a foundational bit of ‘goo’ that runs throughout my entire network so that I can scan them and get assurances that they have protections in place… I mean yeah… scan my SBS box and it says I have “Severe risks” …but right now.. the fact that I can’t scan my entire network… I think ..means I have a bigger risk.  I mean I know I can’t do the Server and Domain isolation stuff the big server guys have to do… but it sure would be nice if I could scan the network with MBSA….


Stay tuned…. we’re getting closer…..

 

2 Responses to Let’s not isolate ourselves too much….

  1. Alun Jones says:

    I’ll see if I can find the group policy setting that allows you to make the firewall “open up” for scans from particular machines.

  2. Alun Jones says:

    Here you go:
    http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/fwgrppol.mspx#E1HAC
    “Configuring Windows Firewall Settings Using Group Policy”
    You will particularly want the “Windows Firewall: Allow authenticated IPSec bypass” to allow an IPSec-authenticated machine to scan your desktops.