IT audit as a data workspace in the program

In Ewida Audit, the term IT Audit means a data workspace where you can store hosts representing computers and scan them repeatedly over time. It is not a single report, but a working environment where the results of successive audits are collected.

This approach works well in a Windows desktop application because it lets you work continuously with hosts, scan results, and change history without having to create a new project for each new check.

Creating a new audit

A new audit is usually created only once and then used as the main workspace. The exception is when audits are run separately for different companies, branches, or isolated parts of an organization.

In practice, a user with an internal license creates one audit for their company and performs recurring computer scans in that same workspace. If the company wants to split the data into several independent areas, however, it can create more than one audit workspace.

New audit wizard

To start the new audit wizard, choose:
Menu > Audit > New

The wizard guides the user through several basic steps. These include:

  • entering the details of the company covered by the audit,
  • adding hosts, meaning the computers planned for scanning,
  • optional Agent installation,
  • optional execution of the first scan.

Adding at least one host is required. The remaining steps can be skipped and revisited later. Once the audit workspace has been created, new hosts can be added at any time, and scanning itself can be started whenever needed.

Adding hosts for scanning

A host in Ewida Audit represents a computer to be scanned. To start the host adding wizard, use:
Menu > Host > New

Hosts can be added in several ways:

  • Search for hosts (LAN) — automatic search for computers in the local network.
  • Active Directory — importing computers from a specific LDAP path.
  • IP Scan — scanning a selected IP address range using ping and DNS data.
  • Manual entry — manually adding a host with the correct Host Name (HostName) field value.
  • Import — importing hosts from another audit or from the Ewida Standard database.
  • Scan files — automatic host creation when loading scan files.

In practice, the method of adding hosts depends on how well organized the infrastructure is and where reliable computer data can be obtained most easily.

Host and related objects

When entering hosts, you can also add their related objects right away. To do this, switch to host edit mode and open the Related Objects tab.

The most commonly used relationships are:

  • License — assigned to the host in audit-auto-match mode, which allows licenses to be matched automatically to detected software during data recognition.
  • User — the host can retrieve location data from the user, such as location, branch, section, and room number.

This is useful when, at the audit preparation stage, it is already known which user is responsible for a given workstation or which licenses should be taken into account when analyzing the host.

Host scanning window

Remote computer scanning is started with the Host Scanning Wizard. It can be opened through:
Menu > Audit > Scan

The same window is also available from the new audit wizard. This is where you choose the hosts to scan, set connection methods, and start the entire audit process.

Computer scanning modes

Each host can be scanned using a different method. In the Scanning Mode field, you choose the connection method for a specific computer. Three basic modes are available:

  • Local — scanning the local computer on which Ewida Audit is running.
  • Agent — scanning with a previously installed Agent.
  • DCOM — scanning through a remote DCOM connection, after prior system configuration.

This makes it possible to combine different working methods within a single process. That matters in mixed environments, where some computers are prepared for Agents and others are scanned on demand through DCOM or locally.

Adding, editing, and removing hosts from scanning

In the scanning window, you can manage the list of computers included in the current process. Three basic operations are available:

  • Adding hosts to scanning — using the add button or the context menu.
  • Editing hosts — using the edit button or the host context menu.
  • Removing hosts from scanning — removing selected hosts, all hosts, or only those with connection errors.

It is worth remembering that removing a host from the current process does not delete it from the audit database. It only means that the host will be skipped during the currently running scan.

Connection test before scanning

Before scanning begins, each host should pass the connection test successfully. The test starts automatically after a host is added to the list, but it can also be triggered manually with the Connection Test button.

This is an important stage because it allows configuration errors to be caught before the actual process starts. In practice, it is best to first bring the host list to a state with no errors and only then start scanning.

Most common DCOM errors

With DCOM connections, three groups of problems appear most often:

  • No response to PING — usually means an incorrect host name, a powered-off computer, or no network availability.
  • The RPC Server is unavailable — most often points to an incorrect remote DCOM access configuration.
  • Access Denied — usually means incorrect remote authorization settings, such as the administrator login and password used for the connection.

When DCOM errors occur, it is worth checking several areas at the same time: the host name, network response, firewall settings, WMI configuration, and the login credentials assigned to the host.

Starting and stopping the scanning process

To start computer scanning, use the Start Process button. Each host is scanned in a separate thread, and their total limit can be configured in the general audit options.

In slower or overloaded environments, the timeout for remote queries can also be adjusted. This is useful when connections are unstable or computers respond with delays.

The process can be stopped entirely with the Stop Process button, or scanning can be stopped only for a selected host using its context menu.

Host scanning log

The progress of remote scanning can be monitored in real time. Use the Host Audit Log button or the corresponding option in the host context menu.

For the selected computer, a separate text window opens, where messages from the currently running process are displayed. This is very useful when diagnosing errors because it shows exactly at which stage the scan stopped or what was completed successfully.

DCOM - when this method is worth using

Scanning through DCOM is one of the three methods available in Ewida Audit. It works well where there is no need to install an Agent, but the computers are properly prepared for remote administrative connections.

It is worth remembering, however, that DCOM configuration depends on the Windows version, security policies, and administrative permissions. In some environments, this is a quick and convenient method, while in others it is more practical to use an Agent or local scanning.

Windows Firewall - enabling remote management

When configuring DCOM, one of the first areas to check is Windows Firewall. You should make sure that remote management and the required network exceptions are allowed for the given computer.

  1. Run gpedit.msc.
  2. Go to the policy branch related to Windows Firewall.
  3. Check the settings for remote administration exceptions, ICMP, local ports, and local programs.

In some environments, some of these settings may already be applied centrally by a domain administrator, so not all changes have to be made manually every time.

WMI - security and permissions

The second important area is WMI configuration. For remote scanning to work properly, you need to check whether the Administrators group has the required rights to the appropriate WMI namespaces and subnamespaces.

  1. Run wmimgmt.msc.
  2. Open the properties of WMI Control (Local).
  3. Go to the Security tab.
  4. Check the permissions for the Administrators group within the Root namespace and its subnamespaces.

Missing WMI permissions very often causes problems with reading system and hardware data, even if the host itself is reachable on the network.

DCOM - default settings

The next step is to check the general DCOM settings. To do this, open dcomcnfg.exe and go to the properties of My Computer in the Component Services branch.

It is worth checking in particular:

  • whether the Distributed COM object model is enabled,
  • whether the authentication level is set appropriately for the environment,
  • whether the impersonation level allows a proper connection,
  • whether the Administrators group has the correct launch and activation permissions,
  • whether the same rules also apply in COM security limits.

This part of the configuration is often where the causes of Access Denied errors or remote connection activation problems can be found.

Additional information for difficult connection problems

If the connection still does not work despite correct firewall, WMI, and DCOM settings, it is worth checking additional elements of the environment.

Local security policies

In secpol.msc, you should check the security model settings for local accounts. In some configurations, classic mode is required.

Older Windows systems

With very old systems, additional components or registry entries related to WMI and DCOM may be needed. This mainly applies to legacy Windows versions that are rarely encountered today.

Known compatibility limitations

  • Windows XP Home does not support remote management in the way required for this type of scanning.
  • Some older systems have limited compatibility with newer Windows versions.

In practice, if the environment is highly diverse or includes older systems, it is often faster and more reliable to use an Agent or local scanning.

Administrator account

For DCOM connections and other remote scanning methods, the correct administrator account is very important. You should make sure that the account is active, has a password set, and is correctly specified in the host configuration in Ewida Audit.

In practice, this usually means checking the status of the Administrator account from the command line and making sure that the credentials entered in the Remote Authorization field match the actual configuration of the target computer.

This is one of the simplest but also most often overlooked parts of the configuration. Without correct administrator credentials, even a properly prepared computer may fail the connection test.