WMI hotfix detection failed / Access denied when querying Win32_QuickFixEngineering

Products PingCastle Discussions & Questions
, ,
1

Hello,

at a customer environment I am currently at a point where the enabled logging did not really help me.
The “WMI hotfix detection failed” but the log doesn’t tell me why.
Tried with PingCastle 3.5.0.37 and 3.5.0.40 with no luck. In this environment I have no admin workstation so I ran pingcastle on a domaincontroller. This localhost DC was successfully detected.
The trace log has the additional information “Der RPC-Server ist nicht verfügbar.” (“RPC Server is not available”)

Tested on the same machine to the same target with powershell works with two different commands:

Get-CimInstance Win32_QuickFixEngineering -ComputerName $DomainControllerFQDN
Get-WmiObject Win32_QuickFixEngineering -ComputerName $DomainControllerFQDN

image
image950×276 81.4 KB

The server are Windows Server 2022 and have a firewall in between wich might be blocking.

As the servers are not - or not more than three - queried in parallel it takes about 8 minutes for 7 DCs to query (and 6 to fail). There should be a result that ports are unreachable to several tested targets or DNS may be wrong.
In my case I checked the tcp connections and found out that tcp/135(RPC), tcp/389(ldap) and some others like tcp/445(SMB), tcp/636(LDAPS) and tcp/8531 (WSUS) are closed (maybe the highports are too).

What I expect:

  • The performance could be optimized by doing/increasing parallel queries/treads, wich would be important for larger environments as well.
  • The WMI query method might need to be updated to be more compatible - maybe add the new WMI connection method
  • reduce the tcp SYN-SENT timeout to close the session if target not responds within defined time (500 ms ?)
  • In general there should be a report that at least tells me that some servers/services were not reachable. In best case the report tells me the sourceip, target(name), resolvedip, tcp/udp-protocol, port, servicename (ldap/ldaps/smb/wsus/ADWS/http/https/rpc/rpc-dynamicport) and that the target did not respond, rejected or made an unexpected/unknown response.
  • the XML should contain that certain things were not tested as it is with HealthcheckData.DomainControllers.HealthcheckDomainController[n].SMB1SecurityMode : NotTested where “not tested” is informative. For the “InstalledHotFixes” value there is simpoly no parameter and therefore no data. That could mean “no hotfix”, “not tested” or “no response from target”

What I do now:
Talk with the customer to fix the closed ports, or give me a machine wich is able to do a full PingCastle check.

Should I open an “Idea” for the “closed port/target log” extension?

Extend logging to mention servers and services wich could not be reached
2

Hi Andreas,

Thank you for reaching out! It sounds like you have isolated your ‘why’ to the end client’s firewall. If, after you have confirmed that all prerequisites to use PingCastle as satisfied, you still experience problems please engage Technical Support by raising a ticket in our customer portal.

Your list of expectations is well thought out and detailed. These would be enhancements to PingCastle and would be great to submit as ideas.

2 Likes
3

Posted an idea for the Closed Ports logging/reporting: Extend logging to mention servers and services wich could not be reached

1 Like
4

Posted “optimize wmi queries…” in this idea: