Compliance Manager Internal Scans consists of 2 types of scans.
- Network Scan
- Local Scan (Push)
During the Compliance Manager Assessment process one of the To Do items prior to the scans being performed is the Prescan Analysis. The purpose of this scan is to identify which machines will and won't be able to be scanned during the automated network scan and local scan process.
There are 2 sections that I like to focus on in the Recommendations section of the Prescan results (see below). These sections detail the errors returned by each machine when the Compliance Manager tried to test whether or not the machines will be scanned successfully by the Network scan or the Local Push Scan. These errors are typically generated when the scanning perquisites have not been met on one or more of the computers listed.
The first step in ensuring all the prerequisites have been met is to identify the type of network being assessed. Is it an Active Directory Domain or is it Workgroup environment? Secondly, we need to determine whether or not the customer employs some type of Antivirus. Below are a list of prerequisites that should be met once these questions have been answered.
Network Scan prerequisites for a Domain Environment.
Ensure the following Windows protocols are allowed to be accessed on each machine joined to the domain.
- WMI - Accounts for 95% of the data collected by the data collectors. The following article provides step by step instructions on how to create a GPO that allows access to WMI through the local Windows Firewall on machines joined to the Domain - https://support.rapidfiretools.com/hc/en-us/articles/360007604538-Configure-GPO-to-Allow-WMI-access-to-all-workstations-in-a-Domain-Environment
- Remote Registry - Used to remotely query the registry on each machine joined to the network. The following KB article provides step by step instructions on how to set the Remote Registry service to start automatically - https://support.rapidfiretools.com/hc/en-us/articles/360007560757-Configuring-GPO-to-set-Remote-Registry-Service-to-Automatic
- ICMP - Is used to identify active endpoints on the network during the Network Scan. The data collector basically pings every machine in the IP range specified in the Compliance Manager's scan settings in order to determine whether there is an active endpoint on an IP prior to scanning it.
- SNMP - Is used to scan network devices (ie Routers, Switches, printers, etc).
Local Scan prerequisites for a Domain Environment
It is good to know how the automated local scan process works in order to understand how the prerequisites are used.
During the Local Scan process the Compliance Manager will attempt to create a folder called NDA1-XXXX in the Admin$ share of each machine, where XXXX represents the appliance ID. Once the directory has been created it will copy over a self-extracting executable called NetworkDetectiveDatacollectorNoRun.exe. It will then proceed to launch the executable which will extract all of the Compliance Manager data collector executables into that folder.
Once the data collectors have been extracted it will launch the data collector executable to perform the scan. When the scan completes it will copy the scan file back to the Compliance Manager server and upload the file to the Compliance Manager portal. After all the local scans have completed, the portal will merge the local scan data into the Network Scan database and update the To Do item in the portal, progressing you onto the next step of the assessment.
- WMI - Is used to launch the data collectors on the remote machines
- Admin$ (C:\Windows) - Is the location on the remote machines where the Compliance Manager will create it's working directory \NDA1-XXXX where XXXX is the appliance ID.
Note: This is a temporary folder. Once the local scan completes the directory is removed leaving no footprints.
- .net - Framework used by the data collectors. The local scan data collector cannot run if .net 3.5 or later is not enabled.
Workgroup scan prerequisites
1. WMI - Unlike domain environments security policies are enforced locally on each individual machine, therefore in order to scan workgroup machines via the WMI protocol, the following command must be run from an elevated command prompt on each machine in the Workgroup.
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
2. Admin$ - In order to access the admin$ share on Workgroup machines File and Printer Sharing needs to be enabled. File and Printer sharing can be enabled by running the following command on each machine from an elevated command prompt.
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
3.net - Ensure .net 3.5 or later is enabled on each machine in the workgroup.
4. Local Account Token Filter Policy - By default, remote administrative tasks can only be performed on Workgroup machines by the Built-in Administrator. In order to allow any Local Admin to perform remote administrative tasks the following command must be run from an elevated command prompt on each machine.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
NOTE: The prerequisites noted above affect Windows settings ONLY. They do not take Antivirus into consideration therefore it may be a case where the following exceptions may need to be added to the AV solution employed by the client.
Whitelisting Compliance Manager executables in Antivirus solutions.
Some Antivirus programs require the executable name, executable path or both in order to whitelist executables. Below is a list of the executables used by the Compliance Manager as well as the path that needs to be whitelisted on each machine prior to scan being performed.
Executables used by the Compliance Manager:
NetworkDetectiveDatacollectorNoRun.exe
WmiDispatcherCmdLine.exe
nddc.exe
nacmdline.exe
ndt7-client.exe
pdfconverter.exe
cmlocaldc.exe
Path to executables on remote workstations:
C:\Windows\NetworkDetective-NDA1-XXXX where XXXX is the appliance ID associated with that site in the Compliance Manager portal.
Path to executables on machine hosting Compliance Manager Server:
C:\Program Files (x86)\RapidFireTools\Server\bin\collectors\wmidispatcher