Some computers on the network are not reached by the Auditor

von | 9.März 2007

Zuletzt aktualisiert am von ProSoft Redaktion


Darstellung des archivierten Beitrags

Dieser Beitrag wurde aus der Vorgängerversion der ProSoft Knowledge Base übernommen. Er wird im Archiv zur Verfügung gestellt und dient zur Recherche älterer Programmversionen bzw. früherer Fragestellungen.

In some cases the Safend Auditor may will fail to audit a target machine.


There may be a number of reasons for this:

The auditing user does not have administrative permissions to the audited computer (this is either the user logged on to the computer on which the Auditor is installed, or the user to which the credentials were changed, in the Change User option).

The machine did not respond within an acceptable time. This can happen if for any reason there was too much load on the network at the time of the audit, or even if the machine was turned off at the time.

The machine is listed in Active Directory but does not exist. This can happen if its name was changed, or if it was disconnected from the network at the time of the audit.

A Firewall may be active on these machines, blocking the access of the Safend Auditor.


Make sure the account that is used for auditing has sufficient permissions.

Make sure the machine is not turned off.

Make sure the machine is listed properly in the AD, andthat it is connected to the network.

When the reason for failure is a Firewall on the target machine:
Depending on the method of scan in which the Safend Auditor is configured, different prerequisites must be met for the Audit to succeed.

When conducting a SetupAPI based Audit:

In order for the Safend Auditor to be able to access the remote machines using the SetupAPI method, it needs port 445 (SetupAPI – through file and printer sharing and remote registry service) open. Additionally, you will need to make sure that the “Remote Registry” service is running in the target machine.

The other ports that the “file and printer sharing” is listening on (137,138 UDP and 139 TCP) are not needed for the auditor, and therefore can remain closed at the firewall.

In order to enable file and printer sharing:
Open Control Panel –> Network Connections
Double click on your connection and then click the properties button.
* For a LAN connection, click the general tab and make sure the File and Printer Sharing for Microsoft Networks is not selected.
* For a dial up connection, click the Networking tab and then make sure File and Printer Sharing for Microsoft Networks is not selected.

In addition, the XP SP2 firewall has a built-in exception rule for “File and Printer Sharing”, which is an exception for ports 137-139 and 445. The rule is editable and can be modified to apply only to port 445.

To do this:
Open Control Panel –>Firewall
Go to the exceptions tab, choose file and printer sharing, click edit and select the checkbox next to 445.

When conducting a WMI based Audit:

The Safend Auditor also allows auditing remote machines by using the WMI method which requires port 135 in addition to another dynamic port allocated automatically by Windows when WMI is used. Allowing the “Remote Administration” exception in your firewall will allow the Safend Auditor to scan the machine using WMI.

Managing Windows XP Service Pack 2 Windows Firewall Using Group Policy:

Published by Microsoft: August 1, 2004
Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers.

This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.

Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.

Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.

Identical sets of policy settings, as shown in Table 2, are available for two profiles:

• Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.

• Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.

Policy Setting Description
Windows Firewall: Protect all network connections
Turns on Windows Firewall. The default is Not Configured.

Windows Firewall: Do not allow exceptions
Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions.
This policy setting overrides all configured exceptions. The default is Not Configured.

Windows Firewall: Define program exceptions
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured.

Windows Firewall: Allow local program exceptions Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured.

Windows Firewall: Allow remote administration exception allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM. The default is Not Configured.

Windows Firewall: Allow file and printer sharing exception
Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.

Quelle: Safend FAQ KB00000017 – Some computers on the network are not reached by the Auditor


Bitte bewerten Sie diesen Beitrag!
[Gesamt: 0 | Durchschnitt: 0]