This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DanielBruss
Occasional Contributor
Occasional Contributor
‎2018-10-29 01:36 PM

"Agent auto-registration is disabled' messages in RSA report

I have a client running AM 8.3 P1 and when they run a report to show remote logins, they are seeing entries on there that say "Agent auto-registration is disabled" and the source IP of those entries is one of their internal servers.  However, that server does not have any RSA components installed on it nor does it get used in any of our current RSA authentication schemes.  In addition, the report shows that these "Agent auto-registration" messages get logged from that server every Sunday morning and there are always 18 attempts beginning from 5:35 AM and ending around 5:37 AM (give or take five minutes on either end).  I have looked in the Task Scheduler on that server and can't find any tasks that would run automatically at that time.

 

Hoping someone here has seen similar behavior and/or hoping someone might be able to tell me what to look for on that server as to why it's trying to talk to the RSA AM.

 

 

Thanks!

Daniel

Labels (1)
Labels
0 Likes
Reply
2 Replies
EdwardDavis
Employee
Employee
‎2018-10-29 03:20 PM

From the description it sounds like you have a weekly dhcp lease renewal happening at that time on Sundays, which would trigger an autoregistration attempt.

 

-sdadmreg.exe is one component that will try to register from the command line when run manually, hunt for any sign of this .exe

-sdregsrv.exe is the windows service version of this, hunt for this file

 

-also, if auto registration service is installed (check windows services for RSA*(anything)) ...anytime the tcp/ip stack is renewed (such as dhcp lease) the service will automatically attempt an autoregister action

 

pastedImage_1.png

 

a normal install would put it here "C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility\sdregsrv.exe"

 

 

Failing all this you can still find out what is going on with Sysinternals Process Monitor

Process Monitor - Windows Sysinternals | Microsoft Docs 

check the Security Console on the RSA server for what TCP port autoregistration is set to (default is 5550/tcp but it can be changed)

 

and then sniff out that port on the 'problem server' with Sysinternals Process Monitor with a filter:

 

-operation begins with TCP

-Path contains 5550    (the port for auto-registration )

 

pastedImage_1.png

 

example 1: Procmon running and get zero events until I manually run sdadmreg and see TCP port 5550 to my RSA server

 

C:\Program Files\RSA\RSA Authentication Agent\Agenthost Autoreg Utility>sdadmreg -r
Agent Host added successfully.

 

 

pastedImage_2.png

 

example 2: I use something else to generate TCP port 5550 traffic, PortQry 

C:\PortQryV2>portqry -n 10.101.99.150 -p TCP -e 5550

Querying target system called:

10.101.99.150

Attempting to resolve IP address to a name...


IP address resolved to edavis-vm150.na.rsa.net

querying...

TCP port 5550 (unknown service): LISTENING

 

pastedImage_1.png

 

If there is something on this machine using TCP to send to RSA server auto-reg port, ProcMon can find it and reveal the source of that TCP traffic.

Reply
DanielBruss
Occasional Contributor
Occasional Contributor
In response to EdwardDavis
‎2018-10-31 01:32 PM

Hi Edward,

 

Thank you very much for your detailed response.  I searched my server for the files and services you mentioned and did not come up with anything.  But then I realized this server is the same one that one my colleagues uses to perform vulnerability scans with Nessus.  I checked in with him and he confirmed that his Nessus scans are scheduled to run early Sunday mornings.  Bingo!  So my guess is that Nessus must realize that it's talking to an RSA Auth Man server and so it tries to do an agent auto-reg to see if that feature is enabled.

 

So while your reply didn't help me directly for this issue, it did get me thinking in terms of what might be on my server that would potentially talk to my RSA Auth Man and that led me to the Nessus discovery.  Your reply is definitely one that will go into my archives!

 

 

Regards,

Daniel

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.