Answer
By default the built-in firewall of Microsoft Windows Vista/Server 2008 and newer disables various ports and services.
The following settings must be made on a Windows Vista or later machine that will be scanned remotely using GFI LanGuard:
- Setting 1: Enable Windows File Printer and sharing on the remote computer for scanning
- Setting 2: Enable WMI on the machine which will be scanned remotely
- Setting 3: Remote registry must be enabled and have read/write access from the GFI LanGuard server
- Setting 4: Admin shares must be enabled and C$ read/write must be accessible from the LanGuard server
- Setting 5: Enable Remote Procedure Call (RPC) and Remote Registry on the remote machines
- Setting 6: Open ports required by LanGuard
Setting 1: Enable Windows File Printer and sharing on the machine which will be scanned remotely
Microsoft Windows Vista and Microsoft Windows Server 2008
- Open Control Panel > Security: Allow a program through Windows Firewall > Exceptions
- Select File and Printing Sharing
- Confirm the changes
Microsoft Windows 7
- Open Control Panel > System and Security
- Under the Windows Firewall section, click Allow a program through Windows Firewall
- Click the Change settings button
- Select File and Printing Sharing and select Home/Work (Private)
- Click OK to confirm changes
- Hover over the bottom right corner of the desktop
- Select Settings > Control Panel
- Click System and Security
- Under the Windows Firewall section, click Allow a app through Windows Firewall
- Click the Change settings button
- Select File and Printing Sharing and select Home/Work (Private)
- Click OK to confirm changes
Setting 2: Enable WMI on the machine which will be scanned remotely
Microsoft Windows Vista and Microsoft Windows Server 2008
- Open Control Panel > Security: Allow a program through Windows Firewall > Exceptions
- Select Windows Management Instrumentation (WMI)
- Confirm the changes
Microsoft Windows 7
- Open Control Panel > System and Security
- Under the Windows Firewall section, click Allow a program through Windows Firewall
- Click the Change settings button
- Select Windows Management Instrumentation (WMI) and select Home/Work (Private)
- Click OK to confirm changes
- Hover over the bottom right corner of the desktop
- Select Settings > Control Panel
- Click System and Security
- Under the Windows Firewall section, click Allow a app through Windows Firewall
- Click the Change settings button
- Select Windows Management Instrumentation (WMI) and select Home/Work (Private)
- Click OK to confirm changes
Setting 6: Allow traffic on the ports used by GFI LanGuard
The port required are specified in the article here.
Microsoft Windows Vista and Microsoft Windows Server 2008
- Open Control Panel > Security: Allow a program through Windows Firewall 'Exceptions
- Click Add port. In the Add port window enter the following properties:
- Name: LanGuard deployment ports
- Port Type : select the protocol
- Range : Specify the port number
- Confirm the changes
Microsoft Windows 7
- Open Control Panel > System and Security > Windows Firewall
- Click the Advanced Settings link
- Right click Inbound Rules and select New Rule...
- Select Port and click Next
- Ensure TCP is selected
- Select Specific local ports and enter the port number
- Click Next to proceed
- Select the option Allow the connection and click Next
- Tick the options Domain and Private and click Next
- Enter the name LanGuard deployment ports and click Finish
- Hover over the bottom right corner of the desktop
- Select Settings > Control Panel
- Click System and Security > Windows Firewall
- Click the Advanced Settings link
- Right click Inbound Rules and select New Rule...
- Select Port and click Next
- Ensure the required protocol is selected
- Select Specific local ports and enter the port number
- Click Next to proceed
- Select the option Allow the connection and click Next
- Tick the options Domain and Private and click Next
- Enter the name LanGuard deployment ports and click Finish
More Information:
- In order to scan a Microsoft Windows Vista or later machine it is required to use Domain accounts since only these accounts have the necessary privileges to access the registry and system files. Due to User Account Control (UAC) it is not possible to scan Microsoft Windows Vista or later machines using local accounts. In order to scan Microsoft Windows Vista or later remotely using local accounts it is necessary to disable UAC completely or disable UAC for remote operations only.
- User Account Control can be disabled completely by altering the security policies as follows:
- Open the Security Policy Manager snap-in (Start > Run > secpol.msc )
- In the Security Options set Run all administrators in Admin Approval Mode = Disabled
- Apply the changes
- UAC can also be disabled only for any remote operations taking place on the Microsoft Windows Vista or later machine. This can be done from the registry as follows:
- Open Registry Editor (Start > Run > Regedit)
- Browse to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
- Create a new DWORD value: LocalAccountTokenFilterPolicy
- Set LocalAccountTokenFilterPolicy to 1
Note: Scripts which use external technologies like WMI, ADSI and more, require that specific ports are open for these services. You can find more information about the specific ports you need to open on the Microsoft Web Site.