cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
9
Helpful
20
Replies

CSA 6.0 and terminal services

jimmahoney99
Level 1
Level 1

Installed csa 6.0 MC on a server . when i try to rdp into it it errors out. in the install guide it says you have edit the mc policy but it does not say what or how

thanks for any help

20 Replies 20

tsteger1
Level 8
Level 8

You need to create a NAC rule to allow Terminal Services ('C:\WINDOWS\System32\svchost.exe -k termsvcs') to accept connections as a server on TCP port 3389.

Tom

would you have step by step instructions. I have no training on this product. i was taught a little on csa 4.x we have in place now by a consultant and i want to know how to do it the right way. he only showed me that when something is blocked to run the wizard and click next unti it it says finished

Thanks for any help

Jim

matt_nels
Level 1
Level 1

You should see an Network Access Control Rule that blocks port 3389. Similar to this: "The process 'C:\WINDOWS\System32\svchost.exe -k termsvcs' (as user NT AUTHORITY\SYSTEM) attempted to accept a connection as a server on TCP port 3389 from xxx.xxx.xxx.xxx using interface xxxxxxxxxx. The operation was denied."

You could use the wizard to create an exception to the Network Access Control rule that blocked this. You can later add other IPs to the exception by going to the exceptions page the CSA Management Center Policy exceptions.

Matt

when i launch mstsc to the MC server it fails to connect. but when i look at the events it does not show any events for the block.

My setup is this 1) Mc Server and 1)Desktop both are are in learn mode. I do see other blocked events and i run the wizard to let them through.

Thanks

Jim

I am guessing that in your log or monitor view you have "filter out similar events" on possibly. Go into the log view, and use the Change Filter to show only the MC server, and select NO on the "filter our similar events". Then click the view button.

This will show all events for that server in the last 24 hours. If the filter is hiding the TermServ events, this will reveal them.

that worked in a sense that i got to see meroe events but nothing pointing to termsvcs or anything close to it. I also tried to map to c$ or d$ but it denies but also does not generate an event. do you know of any good books for this product other than the supplied documentation

Ok I Got It. What I had to do was put it in audit mode. then the alert shoed up in the events and i was able to run the wizard

Thanks for everyones help in pointing me in the right direction

Jim

The reason the audit mode showed the hit, was the fact that the rule probably was not logging the event. (guess I should have thought of that....) You can go back to the rule, enable the logging, and then turn off audit mode to test it.

Thanks for coming back and responding how you figured it out.

Hi Jim,

When you say you put it audit mode, could you expand on this? I've got exactly the same problem and this is my first time with CSA so I'm struggling to find the solution.

Thanks,

Simon

Simon,

If you put a group or rule module in Audit mode, any corresponding rule will not do any blocking. It will fire alerts exactly as they would have happened if not in autdit mode. In the alerts however you would typically see "This operation would have been denied". It let's you test rules before blocking activites. It is also useful if you are only using CSA as more of a "detection" agent rather than a "prevention" agent.

You can put machine in audit mode in 2 places. 1) you can go into the properties of the group the machine is in, expand the "Rule Overides" section and check the box "Audit Mode". **This will put every policy (ergo rule module) in audit mode.

2) you can go into configuration->rule modules. Select the specific rule module you would like in audit mode. Again, expand the "Rule Overides" section and check the box "Audit Mode".

Hi Mat,

I'm not sure what was going on...it was all getting a little fuzzy. Re-installed, I managed to find my way to the section for Audit which over wrote the rules but didn't have admin rights to change it. Went under Maintance, administrators, account management and worked out how to change my preffered modes. Then from the logs used to wizard to allow terminal services.

Great help thanks,

Simon.

Good. Just take your time and document what you are doing. Once you figure out how to navigate and how things work in relation to eachother, you will learn soon enough.

Just don't make exceptions on a whim, otherwise you can degrade your security.

Thanks for stepping in Matt. Got kind of caught up in an Active Directory migration mystery...

Tom

No problem. I try to help out when I can. I'll try to help out more as I'm starting to really understand CSA more.

I've been absorbing CSA the last 9 months (with two upgrades) and I am starting to see it in my dreams....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: