Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 4042 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client protection with local Windows Policies Enabled

uiltgilgiluhgjo

Hey

I Configured a Server (Workgroup Enviroment) with sophos Enterprise Console 5 which works on clients with no local windows policies enabled all clients get there updates and sophos works very well.

Now i got another network with the same configuration only now all this clients have Windows security policies enabled.

Now when i try to push sophos to this Client i get the 3051 error which means the Server cannot create the SophosSAU<computername> or the password(policy) account for some reason.

Things i done to solve this problem:\

- Put policies off > Result is that everything works but i want policies enabled so this is not a solution for me.

The fault is that  the clients policy ask for a complex password  like 7 characters and a number for example

which causes Enterprise Console to give the 3051 error

My question is:

- Is there a possibilty to let the server (Enterprise Console) make a  local SophosSAU<computername> account  on the client with a complex password? and how to do that? or a workaround for this?

Greets Ronnie

EDIT:

i found this topic:

http://www.sophos.com/support/knowledgebase/article/48910.html

My question is is this for server side or client side? and anything to configure after?

:22283


This thread was automatically locked due to age.
  • 0

    HI,

    You can use that article to pre-stage an account, such that when AutoUpdate installs it will use that rather than create one for you.

    Regards,

    Jak

    :22287
  • 0

    Hello Ronnie,

    it is not the server which creates this account but the installer on the client. Now I don't know which rules it uses to create the password - but apparently not the required one.

    You can predefine the required account as per Manually creating an AutoUpdate account. Personally I'd take this to Support though to get a statement on update account vs. password policies.

    Christian

    :22293
  • 0

    Hey thanks for the reply's

    I got a few questions about this:

    -So make the account in the register before i protect it with Sophos Client?

    -Does the installer not make SophosSAU<computername>1 then instead of 0 which it makes normaly?

    -If the installer makes the account + password it does this only localy on the client? Not send anything back to the server ?

    -Manually creating the autoupdate account i should do on all clients then (or make image with this reg edit in it)?

    -Any script available to do this automatically?

    And about the update account vs. password policies.

    I couldnt find anything related to this but i guess more people should have expierenced this same problem cause its very common for a company to have a complex password in case of security.

    :22295
  • 0

    You must create the account before protecting the clients. AutoUpdate will use the preconfigured account (and not create one with another suffix - this is normally only used on DCs). As these are local accounts the action must be performed for each client. Adding the required keys (by whatever method) should be pretty straight forward.

    The AutoUpdate service runs as LOCAL SYSTEM and therefore has no access to network resources. In order to download updates it must impersonate an account which does - this is the SophosSAU<COMPUTERNAME>0 user. Acting as this user AutoUpdate then accesses the CID using SophosUpdateManager (or whatever is specified in the policy).

    i guess more people should have expierenced this same problem

    Yes, but I know of no article or doc specifically addressing this (at least I haven't found one). So I wonder what's the official answer from Sophos, whether a defect has been raised or a suggestion accepted.

    Christian

    :22303
  • 0

    Ok thanks for this information so far im gonna look first if i can find something in the installer which has to do with the Account and Password for the SophosSAU account.

    Second i think im gonna call the support of Sophos to ask about this.

    And third all info i will find about this i will post in this topic so its clear to do for other people who experience this same problem.

    EDIT:

    Another question:

    Any idea which file or .dll in the installer (Autoupdate) has a commandline with make SophosSAU account with password in it?

    This post http://sophos.lithium.com/t5/Sophos-Endpoint-Protection/Problems-updating-clients/td-p/16907

    Is also very similiar to my problem with one difference i want to makes thing go automatic so i dont have to change allot of things on the client side.

    :22309
  • 0

    Solution:

    Workgroup Configuration with password policy enabled

    First of all i started with a clean Configuration of Windows and Enterprise Console 5 (With 5 you can select a default update account).

    The first thing i did was installing alle pre-reqs and after i started to install Enterprise Console.

    When Enterprise Console asks for making a SQL instance SOPHOS make it and enter your admin account:

    Administrator / Password

    The next tab where u have to fill in something which needs attention is the part Update Manager Account(Default Update account):

    SophosUpdateaccount / Password ( i did make a complex password for example: P@ssw0rd1

    TIP: Remember or write down this password

    After this just install Sophos Enterprise Console like u do normal.

    After installation update the CID and Warehouse with the newest version in :

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Update your Update Manager in your Enterprise Console with the latest Binaries. And Select which Subcription will be installed on your Clients (under recommended).

    On your dashboard also make a folder under Unassigned  like Assigned.

    Now search for computers on your network and first let them all stay in Unassigned.

    The only thing u can do now is update your server with Sophos Client if u need to cause this one doesnt have password policy's.

    Next thing i did is check if my SophosUpdateaccount has read rights on 

    C:\Documents and Settings\All Users\Application Data\Sophos\Update Manager\Update Manager

    Second i checked that i have a admin account in computer management on the server  which is also admin on the clients for example:

    clientadmin / password

    This is the account which can install software on the clients when protecting the computers.

    Clients part:

    On the client i made a account which normally Sophosinstalller makes but cause of the the password policy it cannot:

    In computermanagement on the client add the following account:

    SophosSAU<Computername>0

    I did give this one the same complex password as the SophosUpdateaccount ( i did make a complex password )

    Next thing i did is edit regedit before the Sophosinstaller makes the keys:

    I made a sophos.reg file with this settings:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download User"="SophosSAU<computername>0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "Download Password"="P@ssw0rd1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]

    ObfuscatedPassword" =dword:0000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service]
    "UserPreset"=dword:00000001

    I put them in the registery before pushing the install from the Server with Enterprise Console

    After this u can push a install of Sophos Client to the clients (unassigned) from the Enterprise Console without having problems with password complexity.

    Greets Ronnie!!

    PS.

    Im busy with making this regedit settings and adding accounts go automatically with a script.

    When i found out and tested i will post it here. 

    :22357
  • 0

    Ok as promised here is my script i use for pre configuring clients when password policies enabled:

    echo off
REM
REM=====Make Local Account on Client======
REM
net user SophosSAU%COMPUTERNAME%0 <Enter Password here> /add /comment:"Account for updating Sophos" /passwordchg:NO
wmic useraccount where "name='SophosSAU%COMPUTERNAME%0'" set passwordexpires=FALSE
net localgroup "Users" SophosSAU%COMPUTERNAME%0 /ADD
REM
REM
REM======Add Username Regedit=====
REM
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service /v "Download User" /t REG_SZ /d SophosSAU%Computername%0 /f
REM
REM======Add Password Regedit=====
REM
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service /v "Download Password" /t REG_SZ /d <Enter Password here> /f
REM
REM======Add Obfuscated==
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service /v "ObfuscatedPassword" /t REG_DWORD /d 00000000 /f
REM
REM======Add Userpreset==
REM
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\AutoUpdate\Service /v "UserPreset" /t REG_DWORD /d 00000001 /f
pause
exit
    :22391