Help-- I am lost- I love the SCM but I can not get past this error message

April 25, 2012, 6:18 am

≫ Next: Using LocalGPO.wsf for standalone PC's

Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

I have spent the last two days trying to get this figured out- I have unloaded SCM, SQL many times, all to no avail, I have tried all sorts of permissions -- but obviously I am having a major blonde moment here---- I REALLY need to get this working.

Very simple set up all on a local Win 7 machine - which authenticates into a AD domain. It was workign perfectly UNTIL we switched from the Novell to Active Directory -- now I get this message.

Any kindness, prayers or help would be greatly appreciated!

Jim

------------------
Additional data:

HelpLink.ProdName: Microsoft SQL Server
HelpLink.EvtSrc: MSSQLServer
HelpLink.EvtID: 18452
HelpLink.BaseHelpUrl: http://go.microsoft.com/fwlink
HelpLink.LinkId: 20476

------------------
Program Location:

at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
   at System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior)
   at System.Data.Common.DbDataAdapter.Fill(DataTable dataTable)
   at Microsoft.SecurityComplianceManager.Database.XTransDataSetTableAdapters.SystemInfoTableAdapter.GetData()
   at Microsoft.SecurityComplianceManager.Core.SystemInfo..cctor()

↧

Using LocalGPO.wsf for standalone PC's

November 15, 2011, 12:53 pm

≫ Next: Allow Remote Shell Access

≪ Previous: Help-- I am lost- I love the SCM but I can not get past this error message

I am new to SCM and have read nice things about the new lgpo tool. I have edited a local user policy on a kiosk machine and want to export and put on other kiosk PC's. I need some direction on exactly how i need to do that. When I do the standard localgpo.wsf syntax options, does it take "all" policies from the machine or just the base administrative and user policies?

↧

Allow Remote Shell Access

May 10, 2012, 8:26 pm

≫ Next: Revoking IE9 Baseline

≪ Previous: Using LocalGPO.wsf for standalone PC's

We are having a hard time understanding the "Allow Remote Shell Access" Windows 7 SP1 policy that SCM sets in its template.

Can someone help us understand why the GPO is set to "Enabled" when the the SCM countermeasure recommendation is to set it to Disabled?

Is there any real reason to enable this on a Windows 7 machine? Seems more like a server setting than a desktop/laptop configuration.

Below is the data from the Windows 7 SP1 SCM template. As you can see, MS and Customized values are set to Enabled, but it doesn't match the Countermeasure recommendation. Way confusing.

Default = Not Configured
Microsoft = Enabled
Customized = Enabled
Severity = Critical

Description:
This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.

Vulnerability:
Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec.

Potential Impact:
If you enable this policy setting, remote access is allowed to all supported shells to execute scripts and commands. If you disable or do not configure this policy setting, remote access is not allowed to all supported shells to execute scripts and commands.

Countermeasure:
Configure Allow Remote Shell Access to Disabled.

↧

Revoking IE9 Baseline

May 14, 2012, 1:40 am

≫ Next: GRC MP in SCSM 2012 RC - cannot add Authority Document to Program

≪ Previous: Allow Remote Shell Access

Hello,

I took the MS IE9 baseline and applied on a standalone desktop using LocalGPO

Outlook Web Access (OWA) doesn't work after applying the baseline. Basically HTTPS sites are not working.

I want to revert to the original settings. I tried with cscript LocalGPO.wsf /Restore but didn't work.

Can anyone please guide me how to revert to original settings?

Also, is it possible to export the original settings and compare with IE9 baseline in SCM?

Please help!

Kind regards,

Maricar

↧

GRC MP in SCSM 2012 RC - cannot add Authority Document to Program

April 13, 2012, 3:29 am

≫ Next: LocalGPO problem on Windows Server 2003 R2 SP2

≪ Previous: Revoking IE9 Baseline

Hi,

I installed SCSM 2012 RC and the newest GRC MP 2012. I followed the documentation and everything went fine. So I was able to install the GRC MP - I see all the datawarehouse "cubes", I see the management pack which have been imported, I see the reports... So when creating a program and defining scope that works fines as well. So I wanted to use the "Create Controls from Library" to do just that. Unfortunately I am not able to do that. I am able to select the "program" and on the next page I am able to select the "Libraries" (Microsoft.AuthorityDocument.Library, Microsoft.ControlObjective.Library...) but after selecting them nothing happens... I am not able to select the button "Next". In the smal right hand window nothing appears..

Please does someone have an idea what I could do? I checked event log on my Service Manager console server and on the datawarehouse server but there are no errors there... I just don't have any idea why I am not able to move forward and what I could do to solve this error. Any help is highly appreciated.

↧

LocalGPO problem on Windows Server 2003 R2 SP2

May 13, 2012, 3:14 pm

≫ Next: Cannot open database 'XTrans' requested by the login. The login failed. Login failed user 'domain\user'

≪ Previous: GRC MP in SCSM 2012 RC - cannot add Authority Document to Program

Applying SCM 2.5 LocalGPO / GPOPack to Windows Server 2003 R2 SP2 results in this error when viewing policy via gpedit.msc...

After restarting the computer, it appears as if no policy changes were applied. Why?

To recreate this, install LocalGPO on a non-domain Windows Server 2003 R2 SP2 computer. Using gpedit.msc, make a change to local policy (password length, for example). Using LocalGPO, backup the policy (to a GPOPack, for example). Using gpedit.msc, change the password length for example) back to a different setting. Then, attempt to apply the policy. The above error will appear, and upon reboot, the policy has not been applied.

↧

Cannot open database 'XTrans' requested by the login. The login failed. Login failed user 'domain\user'

February 8, 2012, 5:16 am

≫ Next: SCM - Windows 7 SP1 Computer Security Compliance

≪ Previous: LocalGPO problem on Windows Server 2003 R2 SP2

Hi, everybody.

After successfully installing SCM 2.0, I'm getting an error when launching it:

Cannot open database 'XTrans' requested by the login. The login failed. Login failed user 'domain\user'

I'm suspecting it may be because I ran SCM setup with the machine in a Workgroup, and later joined the domain. So when I log on with a domain account, it is not recognized by SCM's SQL Express.

I would uninstall SCM and reinstall it now with the domain user account. Any other thoughts?

I wish I could use the same SCM VM for different AD forests, but I'm fearing I will have to have one VM machine for each... (which means more disk space).

Hope you can help.

Thanks and regards,

Mario

↧

SCM - Windows 7 SP1 Computer Security Compliance

May 22, 2012, 2:14 pm

≫ Next: LocalGPO on Win7 screws up Advanced Firewall

≪ Previous: Cannot open database 'XTrans' requested by the login. The login failed. Login failed user 'domain\user'

After applying the windows 7 default security Compliance policy, i am unable to mount any cifs shares. What part of this policy would not allow this? My error message is when I go to put a user and password in and it will not authenticate my users anymore. I remove the policy and it works again. Any ideas?

Eric

↧

LocalGPO on Win7 screws up Advanced Firewall

June 4, 2012, 8:56 pm

≫ Next: While installing, Failed to Initialize Database

≪ Previous: SCM - Windows 7 SP1 Computer Security Compliance

I have a GPO backup that contains zero references to any Windows firewall settings. It sets some MSS and a few dozen other settings. However, when I use LocalGPO to apply this to a standalone computer the Advanced Firewall has a message stating that it is being managed by a GPO. It's stuck "on" for all profiles, and even worse, the local exceptions is set to "no" as well.

IMHO, this is not expected behavior since the applied GPO has no firewall settings whatsoever. As a result, I've had to not use LocalGPO and resorted to secedit and auditpol to configure lockdowns.

Anyone else see this behavior?

↧

While installing, Failed to Initialize Database

August 4, 2011, 11:20 am

≫ Next: Windows Script Host Pop-up when importing a GPOPack with MLGPO switch

≪ Previous: LocalGPO on Win7 screws up Advanced Firewall

trying to install scm v2 beta. first i got 1603 error and had to set public='%systemroot%'. now i get 1603 and log file states the following

SearchRegKeyForSqlServer: Successfully determined instance is installed.
DropDatabase: Custom Action Data. DBMASTER pcname\MicrosoftSCM master
ConnectDatabase: server Name before checking for Default Inatance . pcname\MicrosoftSCM
ConnectDatabase: server Name . pcname\MicrosoftSCM
ConnectDatabase: database Name . master
ConnectDatabase: Failed to initialize database connection. Error Code: 0x80004005. . Additional Error Description : Invalid connection.
DropDatabase: ConnectDatabase returned error. Error Code: 0x80004005.
MSI (s) (20!D8) [14:14:46:281]: Product: Microsoft Security Compliance Manager -- Error 25157. Failed to drop database. Error Code: -2147467259 ([DBNETLIB][ConnectionOpen (ParseConnectParams()).]Invalid connection.).

Error 25157. Failed to drop database. Error Code: -2147467259 ([DBNETLIB][ConnectionOpen (ParseConnectParams()).]Invalid connection.).
Action ended 14:14:47: INSTALL. Return value 3.

I have admin rights to the pc

↧

Windows Script Host Pop-up when importing a GPOPack with MLGPO switch

June 13, 2012, 2:45 am

≫ Next: SCM 2.5 Error when importing backup Serve 2003 SP2

≪ Previous: While installing, Failed to Initialize Database

Hello,

I'm trying to import domain policies through localGPO to a master image (the image being in a workgroup). OS is Windows 7 SP1, language is French. Target is to add a task in MDT to do the job.

Those policies configure Internet Explorer 9 and Office 2010, only User settings are modified. Those policies must apply only to local users and not administrators, so i'm using MLGPO for this.

I'm doing it this way :

- Install localGPO on a test computer, backup a domain GPO then copy it on the test computer, then import it with : cscript localGPO.wsf /Path:C:\GPOBackup

- Export the local GPO to a GPOPack with : cscript localGPO.wsf /Path:C:\GPOPack /Export /GPOPack

- Copy the GPOPack to another test computer, but applying it only to non-administrators with : cscript C:\Temp\{GUID}\GPOPack.wsf /Path:C:\Temp\{GUID} /MLGPO:Non-Administrators /silent

This is when 3 pop-up appears despite the /silent switch, all labeled "Windows Script Host" : one blank, then one with "Non-Administrators MLGPO...Modified !" then another one blank again.

When i check policy settings applied everything is OK.

My GPO doesnt contain any Computer or Security setting, so i think the two blank pop-up are related to this...also when i import the GPOPack without the MLGPO switch, no pop-up appears.

Am i doing something wrong ? Any help would be appreciated.

Regards,

↧

SCM 2.5 Error when importing backup Serve 2003 SP2

June 13, 2012, 4:04 am

≫ Next: Server 2008 R2 Security Guide

≪ Previous: Windows Script Host Pop-up when importing a GPOPack with MLGPO switch

Wasn't sure where to note this error. When exporting Local GPO policies using the /export /path: there is a fault that happens which makes the backup unable to import into SCM 2.5. The error is when a value has a space within the GptTmpl.inf file. I think that the fault is in reading the registry value which turns out to be null and an additional space is entered after the comma. In the below the entry would be (3,1) in a good working GPO Export where in the faulty templates are (3, ) with a space after the comma. Example path of a working backup -- {C1326D89-A487-412B-88E1-13E467A3B16A}\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf and Registry section listed below:

[Registry Values]
MACHINE\Software\Microsoft\Driver Signing\Policy=3,

↧

Server 2008 R2 Security Guide

September 19, 2011, 2:07 am

≫ Next: Automated Compliance Tests Problem

≪ Previous: SCM 2.5 Error when importing backup Serve 2003 SP2

Hello,

I am trying to find the latest (if it exists) version of the "Windows Server 2008 R2 Security Guide".

I found the version 1.0 (Beta) in the Compliance Manager (ver 1.1) installation. I have now updated SCM to ver 2.0.20.0, and for the life of me cannot find the Security Guide.

Q. Has this guide been updated/removed ?

Could someone help me to find the actual version please.

Thanks,

Raharney

↧

Automated Compliance Tests Problem

December 9, 2010, 7:16 am

≫ Next: Cannot bind a SSL certificate to a port from withing a LocalSystem AppPool application

≪ Previous: Server 2008 R2 Security Guide

Hello all,

i have installed the System Center Service Manager 2010 (Version 7.0.5826.0), the System Center Configuration Manager 2007 R2 and the Service Manager GRC Management Pack with all the related librarys (Win7, Win Server 2008, Win Server 2008 R2....). On SCCM the exported DCM Baseline from Security Compliance Manager is implemented. All looks fine.

I would like to automate the replication between the SCCM DCM Baselines and the automated control activities in SCCM.

My problem:

After installation the GRC libraries in SCSM i have no Automated Control Activities in the SCSM Control Management.

My Questions:

- How do I get the Automated Control Activities in the SCSM Control Management and start the automated replication?

- Manuelly? How detects the Control Activity which Baseline CI it belongs?

Thank you very much for your help!

Henning

↧

Cannot bind a SSL certificate to a port from withing a LocalSystem AppPool application

June 18, 2012, 8:29 am

≫ Next: Unable to RDP from Windows XP to Windows 7 machine configured with Windows 7 EC Desktop baseline

≪ Previous: Automated Compliance Tests Problem

I'm having some trouble binding a SSL certificate to a specific port using the following command:

netsh http add sslcert ipport=0.0.0.0:8091 certhash=861CEA13D9F0DB7054D8826D9983DBECEC600B3C appid={08DD83F6-854A-4BFF-92AB-04878DB3915B}

When I run this command from cmd.exe as Administrator it works perfectly.

When I try to run it from an ASP.NET application that runs in a LocalSystem AppPool (which has full Administrator privileges) I get the following error -

SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.

And in the Securty Event Log it is logged the following error:

A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

The OS is Windows 2008 R2 SP1, so that hotfix from Microsoft won't work (is already installed). I don't understand if it is a permissions issue, since both times the command is executed under the Administrator account. The same thing works fine on a Windows 7 x64 dev machine.

Any ideas how to make it work from within the ASP.NET app?

↧

Unable to RDP from Windows XP to Windows 7 machine configured with Windows 7 EC Desktop baseline

June 28, 2012, 2:24 am

≫ Next: Security Compliance Manager installer is just terrible

≪ Previous: Cannot bind a SSL certificate to a port from withing a LocalSystem AppPool application

Scenario:

I have two machines, a Windows XP and a Windows 7 machine in OU 1. There is another Windows 7 machine in OU 2. Both OUs are subject to exactly the same policies, namely the Windows 7 EC Desktop policy and a firewall policy that allows inbound Remote Desktop exceptions set to * (All). Both OUs have all other policies bar the Default Domain Policy blocked from inheritance.

I can RDP to the third Windows 7 machine in OU 2 from my Windows 7 machine in OU 1 fine. However, I am unable to get a Remote Desktop Connection to the third machine from my Windows XP box in OU 1. The same account are being used throughout. I have also upgraded the RD client on the XP box to 7.0, but it's made no difference. If I disable the Win7EC desktop policy in OU 2, all is well and I can RDP from the XP box.

I assume Windows 7 must be sending some information with improved encryprtion by default. Indeed, looking at the event viewer on the machine in OU 2 I see:

IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

Can anyone suggest what element of the policy I should change (or more to the point, how I should change it) to keep security as strong as possible but allow the XP client to reach the machine via RDP?

Thanks

Simon

↧

Security Compliance Manager installer is just terrible

November 19, 2010, 12:28 am

≫ Next: LocalGPO on Win8/Server 2012

≪ Previous: Unable to RDP from Windows XP to Windows 7 machine configured with Windows 7 EC Desktop baseline

First of all, if you try to install SCM on a domain controller it will fail. Why? Because the installer will go and automatically download SQL Express 2008 and install it with default options that includes trying to use a local system account, which you can't do on a DC.

Fine, I thought. I'll just download and manually install SQL Express and configure it to use a domain account. Which works just fine except that the SCM installer doesn't even bother to check to see if you already have SQL installed. It insists on installing it itself, which of course causes it to fail.

There should at least be an option during the SCM installation to either specify an already existing instance of SQL, or to configure settings such a service accounts manually.

So I'm forced to install it on a Windows 7 machine, where I've already got SQL Express 2008 R2 installed, which of course the installer doesn't care about and forces me to install SQL Express 2008.

Just.. terrible.

↧

LocalGPO on Win8/Server 2012

July 7, 2012, 7:50 pm

≫ Next: How does one perform compliance checking against a merged GPO set?

≪ Previous: Security Compliance Manager installer is just terrible

Yes I realize that Win8/Server 2012 have not RTM'd yet, but the localGPO tool refuses to add the MSS settings to my Server 2012 RC instance. How soon can we expect an update to SCM to support Win8/Server 2012, even sans the security baselines?

↧

How does one perform compliance checking against a merged GPO set?

July 12, 2012, 4:33 am

≫ Next: IE 9 blocking some features after Implement Microsoft SCM

≪ Previous: LocalGPO on Win8/Server 2012

Good morning,

We are attempting to set up a customized GPO set for several versions of Windows OS (XP, Win7, Win2003, Win2008, etc.). All of these systems are standalone so utilizing an enterprise type of application, such as SCCM or ePO, is not an option. However, in addition to the OS, the systems normally run a version of IE (anything from IE7 up to IE9), and some flavor of Office. We can set up the customized set utilizing the SCM interface and then creating the GPO pack or backup for import purposes.

The primary issue from the compliance checking perspective is that you cannot export the GPO set from the standalone machine and compare that set against a baseline maintained on a seperate machine because the export only includes the OS baseline. None of the controls for IE or Office will be included in that export set. We have thought about what would be involved in resolving this problem but see no simple way to fix it. Has anyone run across this problem before?

A secondary issue is attempting to create a baseline on a machine that is already preloaded with this type of software and/or other applications. However, again since the utility does not export the controls for the secondary applications, this cannot be done cleanly.

Thoughts on this?

Regards,

Larry

↧