You need to create a NAC rule to allow Terminal Services ('C:\WINDOWS\System32\svchost.exe -k termsvcs') to accept connections as a server on TCP port 3389.
would you have step by step instructions. I have no training on this product. i was taught a little on csa 4.x we have in place now by a consultant and i want to know how to do it the right way. he only showed me that when something is blocked to run the wizard and click next unti it it says finished
Thanks for any help
You should see an Network Access Control Rule that blocks port 3389. Similar to this: "The process 'C:\WINDOWS\System32\svchost.exe -k termsvcs' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on TCP port 3389 from xxx.xxx.xxx.xxx using interface xxxxxxxxxx. The operation was denied."
You could use the wizard to create an exception to the Network Access Control rule that blocked this. You can later add other IPs to the exception by going to the exceptions page the CSA Management Center Policy exceptions.
when i launch mstsc to the MC server it fails to connect. but when i look at the events it does not show any events for the block.
My setup is this 1) Mc Server and 1)Desktop both are are in learn mode. I do see other blocked events and i run the wizard to let them through.
I am guessing that in your log or monitor view you have "filter out similar events" on possibly. Go into the log view, and use the Change Filter to show only the MC server, and select NO on the "filter our similar events". Then click the view button.
This will show all events for that server in the last 24 hours. If the filter is hiding the TermServ events, this will reveal them.
that worked in a sense that i got to see meroe events but nothing pointing to termsvcs or anything close to it. I also tried to map to c$ or d$ but it denies but also does not generate an event. do you know of any good books for this product other than the supplied documentation
Ok I Got It. What I had to do was put it in audit mode. then the alert shoed up in the events and i was able to run the wizard
Thanks for everyones help in pointing me in the right direction
The reason the audit mode showed the hit, was the fact that the rule probably was not logging the event. (guess I should have thought of that....) You can go back to the rule, enable the logging, and then turn off audit mode to test it.
Thanks for coming back and responding how you figured it out.
When you say you put it audit mode, could you expand on this? I've got exactly the same problem and this is my first time with CSA so I'm struggling to find the solution.
If you put a group or rule module in Audit mode, any corresponding rule will not do any blocking. It will fire alerts exactly as they would have happened if not in autdit mode. In the alerts however you would typically see "This operation would have been denied". It let's you test rules before blocking activites. It is also useful if you are only using CSA as more of a "detection" agent rather than a "prevention" agent.
You can put machine in audit mode in 2 places. 1) you can go into the properties of the group the machine is in, expand the "Rule Overides" section and check the box "Audit Mode". **This will put every policy (ergo rule module) in audit mode.
2) you can go into configuration->rule modules. Select the specific rule module you would like in audit mode. Again, expand the "Rule Overides" section and check the box "Audit Mode".
I'm not sure what was going on...it was all getting a little fuzzy. Re-installed, I managed to find my way to the section for Audit which over wrote the rules but didn't have admin rights to change it. Went under Maintance, administrators, account management and worked out how to change my preffered modes. Then from the logs used to wizard to allow terminal services.
Great help thanks,
Good. Just take your time and document what you are doing. Once you figure out how to navigate and how things work in relation to eachother, you will learn soon enough.
Just don't make exceptions on a whim, otherwise you can degrade your security.
No problem. I try to help out when I can. I'll try to help out more as I'm starting to really understand CSA more.
I've been absorbing CSA the last 9 months (with two upgrades) and I am starting to see it in my dreams....