search cancel

Password comparison checks no longer working in CCS after MS16-047 applied to Windows machines.

book

Article ID: 163683

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server Control Compliance Suite

Issue/Introduction

Error is received when trying to use certain password checks that examine the content of the password and compare it to various things.

 

PWDump::GetRemoteHashes() - PrivateGetPasswordBatchFromPWHashDumpServiceOnRemoteMachine() failed with error 0x000006D3 for <machine name>. Error: The authentication service is unknown.
 

Environment

Windows with MS16-047 installed.

 

Cause

Please review Microsoft technote on ms16-047 patch for cause.

 

Resolution

At this time Symantec does not believe it is possible to address this issue.  This issue affects both agentless and agent based password comparison checks for Raw Based (RBC) data collections.  Symantec does not recommend removal of MS16-047 as it will be a pre-requisite for future critical OS patches (per Microsoft).

Microsoft patch MS16-047 has blocked the retrieval process that is used to obtain the password hashes that Control Compliance Suite (CCS) uses to perform various password comparison checks.  Symantec is not aware of any other 3rd party tools, including hacker tools, that can do this once this patch is applied to a Windows machine.   If a new method for obtaining Windows password hashes on patched systems becomes available, Symantec will consider implementing it to make password comparison checks work again.  However, if proper password complexity policies are enforced on Windows machines (which CCS can check via RBC checks), password comparison checks become much less relevant.  Correctly set password complexity policies, enforced on a Windows machine, should make it extremely difficult (if not impossible) for users to set their passwords to anything that the comparison checks would have checked for.

Complete list of Password Comparison Checks in RBC:

  • Password Is User Name?
  • Password Found in File?
  • Password Is Blank?
  • Password is Any User Name?

Additional Information

Note: This does not appear to be an issue with newer OS's such as Windows Server 2019.

If you are getting an error about a user not found, delete domain cache and let CCS rebuild it from scratch.