[WinPartners] Re: KB824146Scan not scanning WinNT machines

Jonathan McIndoe Hunt jmhunt at MIT.EDU
Thu Sep 11 12:05:17 EDT 2003 

Hi Bil,

Have you by chance enabled RestrictAnonymous on those NT 4 machines?

According to the KB article for the scanner 
<http://support.microsoft.com/?kbid=827363> that error is associated with 
machines where restrict anonymous is set.

    * The KB824146scan.exe tool cannot determine whether the 823980 
(MS03-026) and the 824146 (MS03-039) security patches are installed on a 
Windows NT 4.0-based computer that has the RestrictAnonymous value set to 1 
in the following registry key:
    * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa In this case, 
the KB824146scan.exe tool reports the following error status for the target 
computer: cannot get workstation info: error 997 (0x000003E5).To determine 
whether these computers have been patched, you must manually inspect them.

This would explain why scanning localhost would work.  You might want to 
implement a domain wide chage to that value through the system policy 
tools, reboot the machines and run the scans again.

Jon



At 07:38 AM 9/11/2003 -0400, Huxley, Bil wrote:
>Tom,
>
>Quite right - I was trying to scan all of the computers in our domain and 
>produce a single report of vulnerabilities (from 1 workstation by scanning 
>across the network).
>
>Thanks,
>   Bil
>
>At 9/10/2003 11:51 PM, lensman at MIT.EDU wrote:
>
>>      Bil,
>>
>>      Are you scanning accros the network from a single station? In the 
>> cases I
>>have tried, I was at the console of those NT servers and ran the scan against
>>"localhost" and it worked fine for me... I haven't tried scanning my NT 
>>servers
>>from another machine...
>>
>>      Tom
>>
>>Quoting "Huxley, Bil" <huxley at MIT.EDU>:
>>
>> > Hello,
>> >
>> > A Heads-Up.  It would appear in our limited exercises that the
>> > KB824146Scan.exe tool is not working with WinNT4 machines, though "Windows
>> > NT 4.0-based computers" are listed in article 827363 as being supported by
>> > this tool.  Every instance we've tried results in an "other errors" 
>> and the
>> > Host is Skipped.  This seems to be true for Servers and 
>> Workstations.  As a
>> > result these machines do not appear on the "Vulnerable" list.
>> >
>> > When we run the /l option the log reports: "cannot get workstation info:
>> > error 997 (0x000003E5)".  This long message makes these machines easy to
>> > identify in the log.
>> >
>> > FYI,
>> >    Bil
>> >
>> >
>
>

More information about the winpartners mailing list