How do I validate and examine the information for authenticated agents?
Security Manager 5.x
Security Manager 4.20
Security Manager 4.50
You can use the 'Agent Initialization Events' view to verify the information for an authenticated agent computer. The 'Agent Initialization Events' view provides identifying information about each agent computer with which the Consolidator has exchanged a key. For example, this view provides events containing the serial number of the system drive and the MAC address of the network adapter card for all authenticated agent computers.
You can compare the system drive serial number and MAC address detected for authenticated agent computers to the computers in your environment. A mismatch indicates a successful spoofing attempt and requires immediate attention.
Examining Agent Initialization Events
To examine initialization events, see the 'Agent Initialization Events' view located in the Security Views | Security Manager Self-monitoring |Agents folder in the Monitor console.
Examining the Agent Computer
After you have obtained the agent initialization events, compare the identification information in the event with information on the agent computer. A mismatch indicates a successful spoofing attempt and requires immediate attention. To compare the system drive serial number, log on to the computer and enter the following line at the command prompt:
Consider the following example output containing the serial number:
Volume in drive C has no label.Volume Serial Number is FGH1-B1AA
The first available MAC address is reported in the agent initialization event. To compare the MAC address, enter the following line at the command prompt:
Consider the following example output containing the MAC address:
You can also find the MAC address information in the System Information | Components | Network | Adapter folder in the 'System Tools snap-in' extension of the Computer Management administrative tool. Administrative Tools are located in the Control Panel.
Please refer to the following knowledgebase articles related to Agent Authentication process:
Overview of Agent Authentication mechanism in Security Manager.
How the Agent and Consolidator exchange keys using an initialize, rekey, and reinitialize process?
How can I troubleshoot and resolve errors with Agent Authentication failures?
What ports, communication and encryption methods does Security Manager use?