Windows Server
Connector name | ( |
Connector type | Executable |
Type (UI field value) | Windows NT Server |
Target system versions supported/tested | Compatible servers are:
|
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
The connector for Windows NT compatible systems (agtnt) uses the NTLM client built into the Windows operating system to target compatible servers.
The following Bravura Security Fabric operations are supported by this connector:
user verify password
get server information
user change password
administrator reset password
administrator reset+expire password
expire password
check password expiry
administrator verify password
enable account
disable account
check account enabled
create account
delete account
unlock account
check account lock
add user to group
delete user from group
add group to group
remove group from group
create group
update group
delete group
rename account
update attributes
list account attributes
update subscriber attributes/password
run command
List:
accounts
attributes
groups
members
subscribers
members of built-in administrators group
member groups
For a full list and explanation of each connector operation, see Connector operations.
The (agtnt) connector also has the ability to set and update user IDs and passwords within IIS, such as Anonymous Authentication Users, Application Pool Identities, and Physical Path Credentials.
Certain operations are supported for domain controllers. This includes serverinfo, addressattrs, platforminfo, listresource and updateresource. For all other operations, use the connector for Active Directory DN (agtaddn) instead.
Only domain groups may be added to local NT groups for Windows servers for NT systems.
Preparation
Before you begin, you must:
Know the name of each Windows server where Bravura Security Fabric performs operations.
Create an administrative account and a test account on each server.
Create at least one template account.
Prepare each Windows server to be able to run commands.
Configuring a target system administrator
Bravura Security Fabric uses a designated account (for example, psadmin) on the Windows server target system to perform operations. The target system administrator must belong to the local Administrators group and have sufficient privileges to reset an account password without being blocked by UAC.
When temporary group membership access ( Bravura Security Fabric 8.2+) is configured, ensure that the target system administrator is a domain account. Alternatively, system credentials can be used.
Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .
Creating a template account on Windows servers / workstations
Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts on Windows servers and workstations. This section describes how to create a Windows Server 2008 local template account (without Active Directory). See your Windows systems administrator or documentation for more information.
On the Windows server:
Select Start > All programs > Administrative Tools > Computer Management.
Select System Tools > Local Users and Groups.
Right click on the Users folder and select New User.
Type the template account’s User name, Password and Confirm password.
Set additional parameters as you require.
Click Create and then Close.
Note
It is recommended that you do not add template accounts to Bravura Security Fabric -managed groups. Managed group memberships should be handled by including them in roles.
Defining properties
By default, Bravura Security Fabric copies many properties (attributes) when creating a new user.
To define additional properties for the template account:
Open the Users folder and locate the template user.
Right click on the template account and select Properties.
Select the Profile tab and configure a user profile path, logon script name, or home directory path.
Configure other properties as you require.
Click OK to close the window.
Close the window.
Preparing Windows servers / workstations for run command operations via account set access request
The (agtnt) connector can execute remote PowerShell scripts via an account set access check-out on a Windows server or workstation. Additional preparation is required on both the Bravura Security Fabric and the Windows target system, as described in this section.
Bravura Security Fabric server
To prepare the Bravura Security Fabric server, execute the following PowerShell commands on the server:
Note
Ensure you launch Windows PowerShell as an Administrator.
Ensure the Windows Remote Management service (WinRM) is running:
start-service winrm
Set the execution policy and permissions.
Set-ExecutionPolicy RemoteSigned -Force Set-Item wsman:\\localhost\\Client\\TrustedHosts -value *
Windows server /workstation target system
To prepare the Windows NT target:
Ensure the network connection type is set to either Domain or Private.
Execute the following PowerShell commands on the target.
Note
Ensure you launch Windows PowerShell as an Administrator.
Ensure the Windows Remote Management service is running:
start-service winrm
Allow remote administration:
Enable-PSRemoting -Force
Troubleshooting
If the connector returns an Access Denied error message when a user attempts to run a command from Bravura Security Fabric , you need to grant the account running the commands "Execute Methods" in Windows WMI.
If you receive the error message 0x80004027-CO_E_CLASS_DISABLED see the following:
Targeting a Windows server / workstation
For each Windows server, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is Windows NT Server .
Target system address uses the following options:
Server Host name, required.
(key: server)
Local group Local group to target.
(key: lg)
To target a global group, you must use the Active Directory or Active Directory DN connector.
Subscribers compatible with Active Directory DN Select to support listing of subscribers run by domain accounts using Active Directory DN.
(key: addn)
Allow changing of subscriber account Select to override the subscriber account when updating cached credentials, in the event that the subscriber’s account has changed since the last auto discovery.
(key: updsubid)
Disable listing of resources List the types of subscribers to be excluded during auto discovery. Resources must be one of the following:
ls_taskacct Task subscribers
ls_iisacct IIS subscribers
ls_comacct DCOM/COM+ subscribers
ls_scmacct Service subscribers
ls_cusacct ODBC DSN subscribers
(key: listResourceDisable)
To disable listing of multiple types of subscribers, select List from the drop-down list box, use More button to add input box for each type of subscriber. Value in each input box is treated as a single value. The address is entered in the following syntax:
{server=<host name>;lg=<localgroup>;addn=<true=false>;updsubid=<true|false>;listResourceDisable={<resources>;};}
The administrator ID and Password are the credentials of the administrative account that you created in Configuring a target system administrator .
The full list of target parameters is explained in Target system options.
The (agtnt) connector allows ipv6 addresses in Windows Vista and higher.
Configuring connector behavior
To configure the Microsoft Windows NT connector (for all Windows NT targets):
Log in to the Manage the system (PSA) module.
Click Manage the system > Maintenance > Connector behavior and navigate to the Windows NT connector behavior configuration page.
Enable the options listed below as required.
Click Update.
The steps and options may vary from your installed Bravura Security Fabric version.
The following apply to all Windows NT type targets:
Option | Description |
|---|---|
WINNT EMIT INFO | If enabled, this registry setting causes the ( |
WINNT RESET ENABLE ACCT | Enable disabled Windows NT accounts after a successful password reset. |
WINNT VERIFY DISABLED | Allow Bravura Security Fabric to verify passwords for disabled Windows NT accounts. By default, Bravura Security Fabric returns failure if the account is disabled. |
Handling account attributes
Bravura Security Fabric lists all attributes on Windows NT compatible system by default. For increased efficiency, you can restrict listing to specific attributes.
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module. To do this, select Windows NT server from the Manage the system > Resources > Account attributes > Target system type menu.
The rest of this section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on Windows server. For information about the native Windows server attributes managed by Bravura Security Fabric , consult your Windows server documentation.
accountdisable By default, when creating a new account the accountdisable attribute is set to false by Bravura Security Fabric so that the new account is enabled. The value of the corresponding Account disabled checkbox in Windows server is not copied from the template account.
passwd_cant_change Bravura Security Fabric can copy from the template or set the value of the User Cannot Change Password checkbox in Windows server, using the attribute passwd_cant_change .
_shareas If the _shareas pseudo-attribute is Set , Bravura Security Fabric creates a share for the user’s home directory. Use this pseudo-attribute to specify the share name.
_homedir_share_acl If the _shareas pseudo-attribute is Set , the _homedir_share_acl pseudo-attribute controls the permissions of users that access the share. It corresponds to the Permissions button on a share folder.
_pathtohomedir Normally, Bravura Security Fabric creates a user’s home folder based on the home_dir attribute. However, if the path to a user’s home folder is different from the actual Windows server attribute, you can use the _pathtohomedir pseudo-attribute to create the path. For example:
The value of the user’s actual home_dir attribute is the share name:
\\myserver\<userid>But the path to a user’s home folder is:
\\myserver\F$\Users\<userid>In order for Bravura Security Fabric to create the path specified by the _pathtohomedir pseudo-attribute, the Configured action for the home_dir attribute must also be Set.
_homedir_acl The _homedir_acl pseudo-attribute allows you to Set the ACLs on the newly created folder. Its value is the Windows security DACL (discretionary access control list) string representation, for example:
D:PAI(A;OICI;FA;;;S-1-5-21-839522115-746137067-854245398-1004)You can use the
dumpaclanddumpsidprograms, included with Bravura Security Fabric , to help you write this string.See:
For more information about access controls and DACL string formats, you can visit:
home_dir The home_dir pseudo attribute supports copy from template and set to a specified value actions. The copy action creates the user’s home directory with appropriate security settings, and copies files from model user accounts. When using the set action, these things must be done manually.
_homedir_option The _homedir_option pseudo-attribute controls how Bravura Security Fabric should handle home directories, upon deletion of the owner’s account. You can set the value of _homedir_option to either:
delete– delete the home directory (default)Bravura Security Fabric does not delete this directory if it contains certain system files, for example, boot.ini .
nodelete– do not delete the home directoryYou can override the configured action/value for the _homedir_option pseudo-attribute only at the target system and target type levels.
_sup_homedir_option This attribute is currently not used.
Most Windows server account attributes are named to clearly identify the corresponding functions in the User Manager in Windows server. The following are mentioned here for clarity:
Attribute | Corresponds to … |
|---|---|
password_expired | User Must Change Password at Next Login |
profile | User Profile Path |
script_path | Login Script Name |
The Bravura Security Fabric Windows server connector will not allow you to set conflicting values for the password_expired and passwd_cant_change attributes. For example, if you to set the password_expired attribute to expired, the connector will clear the passwd_cant_change flag so that the user can change his or her password.
Use the dumpacl program to view the elements of an object’s security descriptor. A security descriptor contains data and security information for a securable object in Windows. For more information search for security descriptors at:
http://msdn.microsoft.com/library/
This program is useful, for example, when configuring the _homedir_acl attribute for Microsoft Windows NT target systems, or creating Notes ID files for Lotus Notes users.
Usage
Run dumpacl with the following arguments:
dumpacl.exe [-dacl] [-sacl] [-owner] [-group] [-share] <filepath>
Argument | Description |
|---|---|
<filepath> | Specifies the path to the object. |
-dacl | Displays the DACL (discretionary access control list) for the object. |
-sacl | Displays the SACL (systems access control list) for the object. |
-owner | Displays the object’s owner. |
-group | Displays the object’s primary group. |
-share | Indicates that the filepath is a network share. |
See also
dumpsid is a similar program used to view an object’s security identifier (SID).
Use the dumpsid program to view an object’s security identifier (SID). An SID is a unique number that identifies user, group, and computer accounts in Windows. SIDs play a role in security descriptors and access control lists.
Usage
dumpsid.exe [\\<server>\]<userid>
See also
dumpacl is a similar program used to view elements of an object’s security descriptor.
Managing groups
When performing group operations (groupuseradd, groupuserdelete), you can either provide the group’s long ID, or specify the group’s "SID" value. The operations will detect the presence of an SID for the groupid and add or remove the user from the group with the specified SID.
Listing and notifying subscribers on managed target systems
The Windows NT connector can discover local services, scheduled tasks, DCOM objects, COM+ applications, IIS objects, and ODBC DSNs, referred to as subscribers. Subscribers are associated with a managed local or domain account, called a service account.
In order to list and notify subscribers from targets, the version should match the one on the instance server. For example, when targeting a Windows system, you can only list scheduled tasks with a version equal or lower than the instance server. Tasks configured for Windows 7 can be listed on an instance server with Windows 2008 R2, however, tasks configured for Windows 8 cannot be listed. You must install a proxy server on a system that contains the same version of the subscriber on the target system.
Make sure the Remote Registry service is started (On Windows workstations it is disabled by default, on Windows servers it is enabled by default).
Updating cached credentials (notification)
Subscribers contain a cached credential of the service account. This credential needs to be updated whenever the password is changed on a Windows server or workstation.
The act of updating the cached credentials of subscribers is called a subscriber notification. This is performed by using the "Update cached credentials" (updateresource) operation with the Windows NT connector. The operation can be triggered whenever a privileged password is randomized. This includes:
Expired passwords reset by the scheduler
Manually randomized passwords
Overridden passwords
Passwords that are checked in
The PAMSA SUBSCRIBER NOTIFICATION plugin determines which discovered services, scheduled tasks, DCOM objects, COM+ applications, iis objects, and ODBC DSNs will be updated when passwords are randomized or during a password change orchestration. See Subscriber notification for details about this plugin.
Requirements
IIS objects
Managed systems must have the same iis settings as the Bravura Security Fabric server. In order to manage iis the appropriate iis version or management tools must be installed.
COM+ Applications
In order to list and update COM+ applications, one of the following must be met:
The Bravura Security Fabric server is a domain member, or,
A proxy server is installed on a domain member system.
and
The psadmin user on the proxy server or the psadmin user on the instance server is a domain user and is also a member of the local administrators group for each targeted system, or,
The Run as? setting for the target system credentials is enabled for a domain user who is also a member of the local administrators group for each targeted system.
Remote COM+ access needs to be enabled. In order to do this, COM+ Network Access needs to be installed:
In Windows Server versions 2012 and earlier, this requires the Application Server role. This can be configured from the Windows Server Manager.
In Windows Server 2016, the Application Server role does not exist. Update the registry subkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3" to change the RemoteAccessEnabled DWORD value to 1 .
For more information see the Microsoft support article at:
Scheduled task objects
On Windows operating systems that support both Scheduled Task Interface versions 1.0 and 2.0 any version 1.0 task objects must be in the root folder of the Task Scheduler Library to be discovered.
Subscriber URIs
The following lists the URI formats for subscribers by type.
IIS7
Application Pools:
WAMUserName://LM/W3SVC – The default application pool’s identity
WAMUserName://LM/W3SVC/<poolname> – Application pool "<poolname>"’s identity; for example:
WAMUserName://LM/W3SVC/TestPool
Microsoft FTP Site Anonymous Authentication User:
AnonymousUserName://LM/MSFTPSVR – Top level default anonymous authentication user for FTP sites
AnonymousUserName://LM/MSFTPSVR/<ftpsite>; – The anonymous authentication user for FTP site <ftpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myftpsite
Virtual Directory Anonymous Authentication User:
AnonymousUserName://MACHINE/WEBROOT/APPHOST – Top level default anonymous authentication user for HTTP sites
AnonymousUserName://MACHINE/WEBROOT/APPHOST/<httpsite> – The anonymous authentication user for HTTP site <httpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myhttpsite
AnonymousUserName://MACHINE/WEBROOT/APPHOST/<httpsite>/path/to/folder – The anonymous authentication user for a specific sub-folder of HTTP site <httpsite>; for example:
AnonymousUserName://LM/MSFTPSVR/myhttpsite/this/is/a/folder
Physical Path Credentials for a Virtual Directory or Site
UNCUserName://<sitename>:/:/ – Physical path credentials for the root level of HTTP site <sitename>; for example:
UNCUserName://My Web Site:/:/
UNCUserName://<sitename>:/:/<vdir> – Physical path credentials for the virtual directory <vdir> of HTTP site <sitename>;
UNCUserName://My Web Site:/:/MyVirutalDir
UNCUserName://<sitename>:/:/<vdir1>/path/to/<vdir2> – Physical path credentials for the virtual directory <vdir2> of HTTP site <sitename>; for example:
UNCUserName://My Web Site:/:/MyVirutalDir/path/to/MyOtherVdir
Services
For services the URI is simply the service name. Note this is not the "display name" that you see by default in services.msc. To see this value:
Start the services.msc program.
Right click on Properties.
Select the General tab.
The value listed for Service name is the complete URI for the service.
Tasks
Task Scheduler V2.0 tasks could be at the root of the task scheduler hierarchy or in a sub-folder. For tasks at the root, the URI is simply the task name. For tasks in a sub-folder the URI is fully specified path relative to the root of the task scheduler hierarchy.
Windows Server 2008 Task URI Examples:
This is a v1 task.job – Windows Server 2008 V1.0 compatibility task
ThisIsARootv2Task – Windows Server 2008 V2.0 task, at the root level
This\Task\Is\In\A\Folder – Windows Server 2008 V2.0 task in a sub folder
While it is technically possible to create a V1.0 task in a sub-folder on Windows Server 2008, this is not supported by Bravura Privilege , because the API provided by Microsoft does not support this. See Updating cached credentials (notification) .
DCOM
URIs for DCOM objects are simply GUIDs. The particular GUID for a DCOM URI is the DCOM object’s "Application ID".
To see the Application ID for a DCOM object do the following:
Open the dcomcnfg Windows program.
Browse to My Computer > DCOM Config.
Right click on the DCOM object of interest.
Click Properties.
Select the General table.
The GUID is listed next to each application ID.
The URI must include { and } surrounding the application ID GUID as this corresponds directly to the registry key where it is configured.
Some examples:
{0bd2fd17-0874-443c-b001-6c6d29580b05}
{1a9f7926-1281-45c9-b454-6b9bdc064fb7}
COM+ Applications
URIs for COM+ applications follows a similar structure to DCOM objects, with the difference being that the URI has COM+: prepended to it.
To see the Application ID for a COM+ application, do the following:
Open the dcomcnfg Windows program.
Browse to My Computer > COM+ Applications.
Right click on the COM+ application of interest.
Click Properties.
Select the General table.
The GUID is listed next to each application ID.
The URI must include COM+:{ and } surrounding the application ID GUID as this corresponds directly to the registry key where it is configured.
Some examples:
COM+:{7B4E1F3C-A702-11D2-A336-00C04F7978E0}
COM+:{7EE3D513B-93A7-4e90-9458-7F8602547363}
ODBC DSNs
For ODBC DSN the URI is the system DSN password which is stored in the registry hive
{HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI} (32-bit ODBC data sources on 32-bit machines, 64-bit ODBC data sources on 64-bit machines)
{HKEY_LOCAL_MACHINE\Wow6432Node\SOFTWARE\ODBC\ODBC.INI} (32-bit ODBC data sources on 64-bit machines)
Updating group attributes
Since group owners are not supported natively by Windows servers for NT systems, additional configuration will be required for some of the group updates for operations such as to delete a group, updating group attributes, or for updating group memberships.
The access controls for pre-defined requests such as _GROUP_DELETE_ or _GROUP_UPDATE_ATTRS_ should be reviewed in this case to allow for access to perform such operations.
The comment group attribute is mapped to the GROUP_NAME resource attribute by default. The group attribute may be overridden to allow for the group description to be updated by setting the value for ’Action when updating group’ from ’None’ to ’Set to specified value’.
The name group attribute may also be overridden to rename a group when updating the group attributes by setting the value for ’Action when updating group’ from ’None’ to ’Set to specified value’ as well as by setting the value for ’Map group attribute to resource attribute’ to GROUP_ID. The GROUP_ID resource attribute would also need to be added to a resource attribute group such as GROUP_INFO_UPDATE.
Adding local NT groups as group members to existing local NT groups is currently not supported natively for Windows servers for NT systems. Adding or removing group memberships for Windows server NT groups may only be performed to add or remove domain groups to or from local NT groups for Windows servers using the (agtnt) connector.
When creating a new group for Windows server, the OU group attribute is not used. Any value may be specified from the Groups app for this case for NT system groups.
Windows server ports
Communication from clients to Windows NT systems and between various services can use a variety of TCP and UDP port numbers.
Caution
Do not open all these ports in a production environment to determine which one of them is required, other than for testing purposes. Open only the required ports, and if possible, only for the binaries of the services required. The Windows NT system uses various protocols and services.
These services may use any of the following port numbers:
Protocol | TCP# | UDP# |
|---|---|---|
HTTP | 80,443,593 | - |
Named Pipes | 445 | - |
RPC Endpoint Mapper | 135 | - |
RPC Server Programs | 1025-5000 nd/or 49152-65535 | - |
NetBIOS | 137-139 | 137-139 |
LDAP or LDAPS | 389 or 636 | 389 |
DNS 53 | 53 | 53 |
Kerberos | 88 | 88 |
Additional services available on Windows NT systems, which may require specific ports, include:
Protocol | TCP# | UDP# |
|---|---|---|
Kerberos password change | 464 | 464 |
25 | - | |
Replication | 135 | - |
File replication | 5722 | - |
AD web services | 9389 | - |
Replication | 3268-3269 | - |
DHCP | - | 67,68 |
GPO | 135, 137-139, 445 | 137-138 |
Best practice
Microsoft may modify the API or protocol behavior, such that some of the above ports may start getting connections after a patch is applied to clients and servers. Moreover, Microsoft may introduce new services or further expand the port numbers used by the RPC services mentioned above. As a result, the best practice is to avoid firewall restrictions based on TCP or UDP port numbers between Bravura Security Fabric server and Windows Server systems.
For more information, see Microsoft documentation: Service overview and network port requirements - Windows Server
Troubleshooting
If you experience any errors, verify that:
You can log into each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.
You can mount a share (normally NETLOGON) on each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.
Remote Registry service is running on all workstations/servers.
When updating domain account credentials, ensure that the accountid has the domain name prepended to it. For example, domain\\accountid .
You can reset user passwords with User Manager for Domains on the Bravura Pass server, while logged in with the administrator ID and password you created.
The Windows Firewall rules allow remote access and management of the subscriber objects.
Access is denied
If operations fail with the following error, this may be due to Windows’ UAC prompting for confirmation:
Failed: Access is denied. Failed to perform operation
Password changes performed by Bravura Privilege are logged to idmsuite.log and to the event viewer on the Windows Server.
To resolve this, you can:
Use the built-in administrator account as the target system credential, if the Windows Server is set with the default UAC settings.
If using psadmin as the target system credential, disable Admin Approval Mode by:
Editing the local security policy (secpol.msc) > Local Security Settings > Local Policies > Security Options to disable the User Account Control:Run all administrators in Admin Approval Mode setting.
Setting the following registry key to 0:
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Install a proxy server on the Windows Server and run the connector via the proxy.
Grant the requested account the execute commands in the WMIObject on the Windows target.
From Windows Server 2008:
Select Start > All programs > Administrative Tools > Computer Management.
Select Services and Applications.
Right click on the WMI Control folder and select Properties.
Click on Security tab.
Expand Root, click on WMI > Security.
Add the account for which access is being requested.
Locked out accounts
If users report locked out accounts after using the Bravura Security Fabric web interface to change or reset their passwords, they should be instructed to log out of their workstations after any password change. This prevents the following sequence of events:
The user’s workstation is configured to use ghosted connections, or caches login credentials.
The user logs into their workstation with password A.
The workstation stores the user-ID and the old password (A) for future reference.
The user connects to the Bravura Security Fabric server and changes their password from A to B.
Since this change took place on a different workstation in the domain (the Bravura Security Fabric server), the user’s workstation is unaware of the change.
The user then attempts to connect to a new server on the network.
The user’s workstation attempts to establish the connection using its stored (and now invalid) value for the password (A).
The server or domain controller records an invalid login attempt, and may lock out the user’s account.
To avoid locked accounts, disable password caching and ghosted connections on all workstations, or use Password Manager Local Reset Extension to reset cached passwords on user’s workstations.
Windows Firewall rules
If subscribers fail to list during auto discovery after they are configured to do so, this may be due to Windows Firewall not allowing the instance server to remotely access or manage the target system. You can edit the Windows Firewall rules under Start > Control Panel > Windows Firewall > Advanced settings. Verify that the following Firewall inbound rules are enabled and configured for the network profile used on the Windows Server:
For general listing of users, groups, attributes, subscribers, etc:
File and Printer Sharing (SMB-In)
For local service subscribers:
All Remote Service Management built-in rules (also required by iis subscribers)
Alternately, have custom rules with the following configurations:
Port: TCP:135 (aka "RPC Endpoint Mapper")
Listener: %SystemRoot%\system32\svchost.exe
Service: rpcss
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\services.exe
Service: n/a
Port: TCP:445
Listener: System
Service: n/a
For iis subscribers:
A custom rule with the following configuration:
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\dllhost.exe
Service: n/a
For scheduled task subscribers:
All Remote Scheduled Tasks Management built-in rules
Alternately, have custom rules with the following configurations:
Port: TCP:135 (aka "RPC Endpoint Mapper")
Listener: %SystemRoot%\system32\svchost.exe
Service: rpcss
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\svchost.exe
Service: schedule
Test for DNS access
On all Windows targets, possible issues with "Failed to connect" can be traced to the failure of the operating system on which the target agent runs (application server or proxy), to resolve the name of the target, or of a domain controller on which to execute the agent operations.
To verify for failure to resolve domain controllers, run the following command on the target system:
nltest /DCLIST:domain.used.in.target.address
To check what domain controller a domain-joined system is communicating with at the moment, run the following command on the target system:
nltest /DSGETDC:domain.used.in.target.address
The latter can be used on a Bravura Security Fabric application server or proxy or even on a workstation from where a password change request the originates.
If the operating system fails to resolve the address of the target or find a domain controller, check with the relevant Windows or Active Directory administrators to set up correct DNS resolution (add trust between domains or DNS forwarding, or run required services on the affected domain controllers). The server on which Bravura Security Fabric 's connector runs asks its own (joined domain) DNS for information on the other domains, so DNS forwarding or trust between the domains must be configured.