CSA 6.0 and terminal services

Unanswered Question
Oct 29th, 2008

Installed csa 6.0 MC on a server . when i try to rdp into it it errors out. in the install guide it says you have edit the mc policy but it does not say what or how

thanks for any help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
tsteger1 Wed, 10/29/2008 - 16:45

You need to create a NAC rule to allow Terminal Services ('C:\WINDOWS\System32\svchost.exe -k termsvcs') to accept connections as a server on TCP port 3389.

Tom

jimmahoney99 Thu, 10/30/2008 - 06:28

would you have step by step instructions. I have no training on this product. i was taught a little on csa 4.x we have in place now by a consultant and i want to know how to do it the right way. he only showed me that when something is blocked to run the wizard and click next unti it it says finished

Thanks for any help

Jim

matt_nels Thu, 10/30/2008 - 06:39

You should see an Network Access Control Rule that blocks port 3389. Similar to this: "The process 'C:\WINDOWS\System32\svchost.exe -k termsvcs' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on TCP port 3389 from xxx.xxx.xxx.xxx using interface xxxxxxxxxx. The operation was denied."

You could use the wizard to create an exception to the Network Access Control rule that blocked this. You can later add other IPs to the exception by going to the exceptions page the CSA Management Center Policy exceptions.

jimmahoney99 Thu, 10/30/2008 - 08:40

Matt

when i launch mstsc to the MC server it fails to connect. but when i look at the events it does not show any events for the block.

My setup is this 1) Mc Server and 1)Desktop both are are in learn mode. I do see other blocked events and i run the wizard to let them through.

Thanks

Jim

matt_nels Thu, 10/30/2008 - 08:48

I am guessing that in your log or monitor view you have "filter out similar events" on possibly. Go into the log view, and use the Change Filter to show only the MC server, and select NO on the "filter our similar events". Then click the view button.

This will show all events for that server in the last 24 hours. If the filter is hiding the TermServ events, this will reveal them.

jimmahoney99 Thu, 10/30/2008 - 10:55

that worked in a sense that i got to see meroe events but nothing pointing to termsvcs or anything close to it. I also tried to map to c$ or d$ but it denies but also does not generate an event. do you know of any good books for this product other than the supplied documentation

jimmahoney99 Thu, 10/30/2008 - 12:00

Ok I Got It. What I had to do was put it in audit mode. then the alert shoed up in the events and i was able to run the wizard

Thanks for everyones help in pointing me in the right direction

Jim

matt_nels Thu, 10/30/2008 - 19:09

The reason the audit mode showed the hit, was the fact that the rule probably was not logging the event. (guess I should have thought of that....) You can go back to the rule, enable the logging, and then turn off audit mode to test it.

Thanks for coming back and responding how you figured it out.

graces Fri, 04/03/2009 - 05:38

Hi Jim,

When you say you put it audit mode, could you expand on this? I've got exactly the same problem and this is my first time with CSA so I'm struggling to find the solution.

Thanks,

Simon

matt_nels Fri, 04/03/2009 - 06:26

Simon,

If you put a group or rule module in Audit mode, any corresponding rule will not do any blocking. It will fire alerts exactly as they would have happened if not in autdit mode. In the alerts however you would typically see "This operation would have been denied". It let's you test rules before blocking activites. It is also useful if you are only using CSA as more of a "detection" agent rather than a "prevention" agent.

You can put machine in audit mode in 2 places. 1) you can go into the properties of the group the machine is in, expand the "Rule Overides" section and check the box "Audit Mode". **This will put every policy (ergo rule module) in audit mode.

2) you can go into configuration->rule modules. Select the specific rule module you would like in audit mode. Again, expand the "Rule Overides" section and check the box "Audit Mode".

graces Fri, 04/03/2009 - 08:24

Hi Mat,

I'm not sure what was going on...it was all getting a little fuzzy. Re-installed, I managed to find my way to the section for Audit which over wrote the rules but didn't have admin rights to change it. Went under Maintance, administrators, account management and worked out how to change my preffered modes. Then from the logs used to wizard to allow terminal services.

Great help thanks,

Simon.

matt_nels Fri, 04/03/2009 - 08:29

Good. Just take your time and document what you are doing. Once you figure out how to navigate and how things work in relation to eachother, you will learn soon enough.

Just don't make exceptions on a whim, otherwise you can degrade your security.

tsteger1 Thu, 10/30/2008 - 17:01

Thanks for stepping in Matt. Got kind of caught up in an Active Directory migration mystery...

Tom

matt_nels Thu, 10/30/2008 - 19:14

No problem. I try to help out when I can. I'll try to help out more as I'm starting to really understand CSA more.

I've been absorbing CSA the last 9 months (with two upgrades) and I am starting to see it in my dreams....

jimmahoney99 Fri, 10/31/2008 - 06:42

No problem. would you know if cisco is teaching csa 6.0 or are the materials for 5.x

still. I'm really am trying to get a feel for 6.0 we have 4.x in place well before i got here and the people have been complaining about it. so i have been looking at other products to replace csa. but i want to give 6.0 a fair chance since it is revamped from 4.x

matt_nels Mon, 11/03/2008 - 06:27

I don't. And looking through the training catalog, it looks like there isn't any training available.

I too would be interested in some training as long as it is "in-depth" material.

helmut.rechnitz... Tue, 04/07/2009 - 04:54

Hello!

If you are looking for a really good training look at priveon.com - I was 2 Weeks ago in Frankfurt/Germany on a 4 day Class and it was an in depth training for the CSA 6.0 - the trainier was Chad Sullivan, its the guy who wrote the books für CSA, that you can buy on Cisco Press...

mdreelan Tue, 04/14/2009 - 10:47

I'll actually be going to this class in RTP NC the last week of April. Let me know if you want some feedback on the class.

jimmahoney99 Tue, 04/14/2009 - 12:30

I would love to hear some feedback and any book recommendations. is this training direct from cisco or a third party ?

mdreelan Wed, 04/15/2009 - 06:38

Third party, but as written earlier, Chad Sullivan wrote both of the CSA (5.x) books that I am aware Cisco sells. I reviewed teh syllabus before signing up and there is a lot of the more complex CSA configureion processes included.

Actions

This Discussion