Auditing with Microsoft Assessment and Planning (MAP) Toolkit 5.0 – Part 1
Computer discovery methods
Before going any further, let’s talk about how MAP finds the computers in the network. As I said before, it is an agent-less system, which means it needs to find the list of computers first before it can connect to them.
There are six ways MAP can “discover” the computers in your network (MAP 4.0 used five):
- The Active Directory Domain Services (AD DS) : If the computers you are trying to inventory are all in Active Directory, use this method. It is simple and all it requires from the user is a domain name and a domain user account credentials. You just point MAP to the relevant AD domain and MAP will query the domain controller using LDAP (Lightweight Directory Access Protocol) to find the list of computers. What’s more is that you have a finer degree of control over which computers you want MAP to monitor. Large organisations will have hundreds, often thousands of servers and not all of them will be relevant to your audit. Using AD DS, you can drill down the hierarchy of AD and can specify one or more particular domains or all domains in the forest, one or more containers or Organizational Units within a domain and / or other OUs contained under them.
The account you specify for MAP must be a domain account and a member of the Domain Users group.
- Windows Networking Protocol: This method should be used for legacy systems where you still have servers connected to a Windows NT 4.0 domain or if you have servers connected in workgroups.
When using this method, you need to ensure two services are up and running in the machine where MAP is running: the Computer Browser service and the Server Service. MAP makes use of the Computer Browser service to broadcast messages to target computers, and computers running Microsoft Windows will respond to that.
What happens if you have a network where majority of servers are connected to the AD and only some are located in workgroups? The answer is to use both methods, or as I would do, run the AD DS method first and then use the second method.
- Using System Centre Configuration Manager: The third method makes use of the System Center Configuration Manager (SCCM). If your organisation uses SCCM and the servers you are trying to inventory are managed by it, you can point MAP to the SCCM and provide the appropriate credentials
- Import computer names from a file: You can also make a list of computer names and provide MAP with that. The file you will create needs to be a plain ASCII text file and have the computer names in each new line, without any commas or other delimiters. The names can be fully qualified domain names (like acctserv.mydomain.com) or NetBIOS names (e.g. ACCTSERV).
- Specifying an IP range: You can use this method if the servers you want to monitor belong to a specific subnet. In MAP, you just specify the starting IP address and the ending IP address; MAP will scan the network for the all computers in that range and try to connect to each of them. Microsoft suggests using this method when the AD DS or Computer Browser method cannot find the computers you are after.
- Manual entry: The last method you can use is to manually enter the computer names in the MAP wizard interface. You may wonder why or when you should use this method (or other manual methods like importing from a file): after all, MAP is supposed to be doing the finding for us. The answer is, you may be interested about only one or few particular servers. This may be the case if you are part of a large organisation and do not have much visibility of the rest of the network apart from the relatively few number of servers you manage.
Configuring the target computers
MAP uses two principal methods for connecting to target computers and performing inventory:
- Windows Management Instrumentation (WMI)
- Remote Registry Service
Of these two, WMI is used for querying the remote machine to get information on hardware, software and device drivers. The Remote Registry service is used for discovering the role of the computer in the network. It is also necessary for the Performance Metrics Wizard.
There are two other methods MAP uses. The first one is used to connect to virtual machine hosts like VMWare ESX (VMWare Webservice) and the second is used to connect to Linux servers.
For the purpose of this article, I will assume you are using MAP for auditing your Windows-based computers. For this to work, you will need to ensure your target computers are running both the WMI and the Remote Registry services. There is no way you can either initiate or enable these services from MAP. You will either need to enable and start them manually in each computer from Control Panel > Services applet or you need to have your system administrators do this by setting a Group Policy for the OU or domain.
Next, for each target computer you will need to provide the username and password of an account that is a member of the Local Administrator group of that machine. MAP will use this logon credentials to connect to WMI running in that machine. Even when you are auditing a single OU within your AD, this may mean connecting to dozens or even hundreds of computers. Specifying a separate local administrator account for each of these computers is not practicable. There are two ways you can address this:
- If your organisation has a domain account that is a member of the Local Administrator group in each machine, you can use that. An example would be a generic DBA or support person account.
- You can also use a domain administrator account. By default, Domain Administrators group is a member of the Local Administrator group in Windows servers.
Finally, you will also probably need to perform further tweaking on your target servers if they are running hardware or software-based firewalls, particularly Windows Firewall. This is because there are two things firewalls would not allow that MAP uses: remote administration via WMI and file & printer sharing. To enable both these options, the relevant TCP and UDP ports need to be opened up.
For remote administration, the TCP port is 135. For file and printer sharing, TCP ports are 139 and 445 and UDP ports are 137 and 138.
If your servers are running Windows Firewall, you can enable the ports either from the Local Security Policy or have your System Administrators create the appropriate Group Policy so that it propagates to the machines.
For enabling Windows Firewall exceptions through Group Policy at the AD level (for specific OUs or even domains), you need to follow these steps:
- Start the Group Policy Editor (you can run gpedit.msc from command prompt)
- Expand the Computer Configuration node. Underneath that, expand Windows Settings > Security Settings > Local Policies and then select Security Options. On the detail pane, double click on the entry for “Network access: sharing and security model for local accounts” (see below)
- In the dialogue box that appears, choose “Classic – local users authenticate as themselves” option from the drop down list (see below) and click OK.
- Now from Computer Configuration node again, expand Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile. You will need to enable two options here: Windows Firewall: Allow remote administration exception and Windows Firewall: Allow file and printer sharing exception (see below).
- When you double click on the Windows Firewall: Allow remote administration exception option from the detail pane, you will see the following dialogue box:
Click on the Enabled option. In the Allow unsolicited incoming messages from textbox, type the IP address of the computer where MAP is installed.
- Click OK and follow the same process for Windows Firewall: Allow file and printer sharing exception option.
- The policy will take effect the next time Group Policies are propagated.
All we did here was instruct Windows Firewall to allow specific traffic from the MAP computer which would otherwise be refused.
If your target server is running another firewall (software or hardware based), you will need to follow its own procedures for enabling remote administration and file/printer sharing.
You can now see that although MAP is agent-less, there are a number of configurations prerequisites that need to be satisfied. Some of these will be beyond your control and in the domain of network administrators. That’s why you will need to liaise with your network system administrators and build an effective relationship to get their buy-in. Network administrators will inevitably be reluctant to change a Group Policy or opening a firewall port. You will need to give them the confidence that these exceptions will not be made on a permanent basis, rather only for the duration of the audit.
In fact it would be even better if you can tell them about the specific servers. The approach I would take is to run the MAP toolkit first without enabling any exceptions. This is possible as long as you have access to a domain account (MAP will use that for querying the AD) and an account that is a member of the Local Administrator group in each machine.
Once you have run the Inventory and Assessment Wizard for the first time, you can generate a report (we will see how it is done shortly). In the Excel spreadsheet of the report, you can look up any computers for which the WMI status does not show “Success” or refer to the MAP high level report showing “insufficient data”. You can use this as a starting point for further investigation.