Authentication failed via 139/TCP and 445/TCP

fsilveira · December 8, 2022, 5:29pm

I’m trying to run a CIS Benchmark policy scan on a Windows Server 2019, but it gives me an error., Example:
Proof Content:
This is a complex check. Operator = AND
oval-org.cisecurity.benchmarks-def-1622728: ERROR
The status of compliance for this rule was derived from its parent rule(s).
oval-org.cisecurity.benchmarks-def-1622729: ERROR
The status of compliance for this rule was derived from its parent rule(s).

I validated the credentials and currently we are only able to authenticate through port 135/TCP, I believe that’s the issue, if so, how can we solve it?

We’ve already followed the best practices guide for Windows authentication, but it wasn’t enough to resolve the issue.

https://docs.rapid7.com/nexpose/authentication-on-windows-best-practices

Service Name	Port	Protocol	Authentication
CIFS	139	TCP	Unknown
CIFS	445	TCP	Credentials Failed
DCE Endpoint Resolution	135	TCP	Credentials Success

Thanks in advance for your time and support.

john_hartman · December 8, 2022, 6:41pm

If the credentials are failing for 445 I assume this is most likely a permissions issue. Honestly there are several things you could do to troubleshoot the windows credentials. However, my best suggestion would be to migrate away from windows credentials and go for the Scan Assistant instead. Instead of a domain account it uses an executable to provide a certificate for authentication. The Scan Assistant can perform all of the checks necessary and is actually more efficient let alone more secure.

aahuja · February 14, 2023, 6:48pm

Firstly ensure that the domain admin is also a part of the local admin.
Secondly, modify the scan template to check for ‘registry edits on windows systems’. This seems to have solved the issue we were having.