on Jun 14, 2016Article Content
| Article Number | 000032671 |
| Applies To | RSA Product Set: Security Analytics RSA Version/Condition: 10.5.0.0 |
| Issue | User had a standalone Windows Server 2008 Server that isn't in a domain and is using basic authentication. Problem and error message seen when trying to collect logs from that Windows 2008 Server is as below: |
| Tasks | Need to confirm that the integration steps were done successfully. 1. Create a non-Administrator User Account for Security Analytics 2. Add the User Account to the Event Log Readers Group 3. Assign Privileges and Enable Remote Access a. winrm configsddl wmi b. wmimgmt 4. Enable Windows Remote Management over HTTP a. winrm quickconfig b. winrm set winrm/config/service/auth '@{Basic="true"}' c. winrm set winrm/config/service '@{AllowUnencrypted="true"}' d. wevtutil gl security & wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-20) f. Create a new firewall rule to allow WinRM traffic into event sources 5. Confirm username and password are correct. Please refer to the document below for a full understanding on how to perform the steps above. http://sadocs.emc.com/@api/deki/files/43167/MicrosoftWindowsEventing.pdf One step to confirm, is that this computer does indeed allow access from the network. This isn't written in the documents because it is usually enabled by default. |
| Resolution | On the Windows Server Machine perform the following: 1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy. This opens the Local Security Settings console. 2. In the Local Security Policy, expand Local Policy and click on User Rights Assignment. 3. On the right side panel, you will find the Policy name "Access this computer from the network".  4. Confirm that your user/group is allowed in this security setting by double clicking on the policy. If not, you can add the group right away.  5. Adding the group  |