The Identity Finder Enterprise Client on a Windows system can be used to remotely search any file system that is viewable from that Windows system. For example, if a remote Unix or Linux system is running Samba and the files on that system can be viewed from Windows explorer, those files can be searched. There are two methods for searching remote files:
- Custom Folder list: Used to search a mapped network drive or UNC path (external link at Microsoft)
- Remote Machine list: Used to connect to one or more remote computers, optionally authenticate,
enumerate the available drives, and search all files on each drive.
Both methods can be used from within the Windows Enterprise Client user interface or configured via policy on Enterprise Console v4.5 or later. When using a policy, that policy will be applied to any Windows system that has the client installed (the managed endpoint) which will in turn search the remote computers (the unmanaged endpoint).
Custom Folder list
To search locally, remotely via a mapped drive letter, or remotely using a unc path on a machine to which authentication credentials exist, use the Custom Folder list. The custom folder list will search the specified folder and all of its files and subfolders. To prevent the searching any subfolder of a folder in the list, add the subfolder as an exclusion.
Within the client UI, the Custom Folder list is managed within Settings on the Custom Folders page. The folders specified as exclusions only apply when searching custom folders or when searching Remote Machines and the option, "Apply Custom Folder list exclusions to all machines" is enabled.
Within a policy specified on Enterprise Console v4.5 or later, use PolicyName > Search Locations > Custom Folders. Within a policy specified on the Enterprise Console 4.1.3 or earlier or in an xml configuration file, use the settings Profile\Admin\CustomFolderIncludeList and Profile\Admin\CustomFolderExcludeList. The folders specified as exclusions only apply when searching custom folders (Settings\Locations\Files\FileLocations is 2) or when searching Remote (Settings\Locations\Files\FileLocations is 3) and the setting Settings\Locations\Remote\ApplyCustomFolderListExclusions is Enable (1). When a policy is used or the above settings are used xml configuration file, the custom folders will not appear in the client user interface and consequently, the user will not be able to edit the list. If the UserData section of an xml configuration file is used, the custom folders will appear in the client UI and users will be able to edit the list.
Remote Machine list
To search remotely via IP address, NetBIOS name, or fully qualified domain name, use the Remote Computer list. The list supports the use of IP address ranges in the form 10.10.10.1-10.10.10.255. Within the client UI, the Remote Machine list is managed within Settings on the Remote Machines page and within a policy specified on Enterprise Console v4.5 or later, the Remote Machine list is specified within PolicyName > Search Locations > Remote Machines.
Identity Finder will use the credentials available at the time of the search (for example if the user is a Domain Admin and the remote machine is a member of the domain, no additional credentials are necessary). Alternatively, credentials can be supplied to Identity Finder. In Interactive Mode, the credentials are saved as part of the encrypted profile while in policy the credential are saved in an encrypted database. At the start of the search, an attempt will be made to authenticate to each specified machine. If a suitable connection cannot be made, the machine will be skipped and a log message will be written. This behavior can be modified:
- Allow prompt for network credentials during search (Settings\Locations\Remote\AllowPromptForCredentialDuringSearch): When enabled/set to "Ask at start of search" and a connection to the machine could be made but the specified privileges were insufficient, a dialog will appear allowing the user to provide alternate credentials.
- Authenticate Remote Machines during search (Settings\Locations\Remote\AuthenticateMachinesDuringSearch) : When enabled, specifies that connections should not be made at the start of the search but rather sequentially as each machine is searched.
When searching remote machines, the client will enumerate all of the available drives on the remote machine and attempt to search them all (using the administrative root shares to each drive). This behavior can be modified:
- To prevent the searching of specific folders on all remote machines, add those folders to the Custom Folder list. Then enable the setting, "Apply Custom Folder list excludes on to all machines" (Settings\Locations\Remote\ApplyCustomFolderListExclusions).
- To prevent the searching of the system root location (as defined by the administrative system share) on all remote machines, enable the setting, "Exclude SystemRoot locations on all machines" (Settings\Locations\Remote\SkipSystemRoot).
- To search only specific folders on a remote machine, add the machine to the Remote Machine list but only enable "Specify authentication credentials" and provide a valid username and password. Via policy, select the mode "Auth Only." Then add the specific folders to the Custom Folder list via unc paths.
How to search a Remote Machine when the search is initiated from the Console:
In the Policy on the left side select Search Locations>Remote Machine to configure the remote machine connection:
If in the Client you had configured it as a Custom Folder then you would configure the remote machine to authenticate only.
If you do configure it using Custom Folders then you would also need to put the folder path in the Custom Folders on the Search Locations in the Policy also.
You would also need to configure the following setting to be either Custom or Remote Machine. If you are using the Custom Folder method then you would configure it to be Custom. If you are authenticating and searching the remote machine then you would configure it to be Remote:
By default the results of a remote machine search will be shown in an endpoint named as the remote machine that was searched. This behavior can be changed to show the results on the Source Endpoint which is the endpoint that performed the search. This can be configured with the following Policy setting:
Searching DFS Shares:
Searching NAS devices:
How to Persistently Mount a FTP/SFTP folder in Linux for searching
OS Error Code: 5 What to do:
OS error Code: 5 is a Windows System generated error found here:
This typically means access is denied. Check the remote machine location found in this article below:
Also, check to make sure that the username and password you are using in the policy assigned to the endpoint searching the remote locations has proper access to the remote location listed in the policy above.
Error: Unable to connect to \\server\IPC$
Unable to connect to \\server\IPC$ is one of the most common error messages encountered
The IPC$ share is also known as a null session connection. The IPC$ is a hidden share maintained by the Server service. The IPC$ share is used for Inter-Process Communication (communication between programs), allowing the client to send commands to the server. For example, "List all shares," "List files within a share."
In simplistic terms, IPC$ is used for data sharing between applications and between computers.
Some commands can be accessed anonymously through a NULL session, but others require the client authenticate. Access is granted if the client can provide proper credentials (username and password). If the credentials aren't accepted by the server, then the client machine will get an error like: "\\server\IPC$ The password you supplied is not correct" or other variations of that message.
Another error message that is also commonly seen and directly related is "Access is denied (OS Error Code: 5)." This is an Operating System generated error code that translates to "Access is denied" here is a listing of Microsoft's System Error Codes https://docs.microsoft.com/en-us/windows/desktop/Debug/system-error-codes--0-499-
If any of the following ports are blocked between the Spirion Agent and the File Server that same errors may occur
TCP Port 135 - RPC Endpoint Mapper
UDP Port 137 - Netbios
UDP Port 138 - Netbios
TCP Port 139 - Netbios
TCP and UDP Port 445 - Named Pipes
How To Search and Troubleshoot Using a Discovery Team:
Viewing the Results of a Remote Machine Search
The results should be shown on the Results screen for an endpoint named as the Netbios name of the machine that was searched.
The results are not sent the Console until the search (or chunk of the search) completes and then the Client is closed.
You should see on the Status screen of the endpoint that was performing the search, under the uploads tab, the upload. It will say uploading, uploaded, Done or Error. If it is still uploading then it needs to finish uploading before it is imported. Once it completes importing it will be shown as Done. Once it is Done then you should see those results on the endpoint named as the machine that was searched. If it did not find any matches then there is nothing to show on the Results screen. You can see on the Results screen of the Target endpoint (the machine that was searched) if there was any matches found in a search by filtering by searches: