Phone Lines icon GFI Support Home

Articles in this section

See more

What are the Services Prerequisites, Settings, and Administrator Privileges Requirements to Scan a Machine, Deploy Agent and Install Missing Patches using GFI LanGuard?

Author: Andriy Rybalchenko Updated

Overview

You are implementing GFI LanGuard architecture and are looking for the information regarding required services and open ports, environmental settings, and minimum administrative privileges needed to successfully install and manage the agents, run security scans and remediation jobs. Without these settings in place, scanning operations will fail, LanGuard won't be able to communicate with remote computers and deploy patches and updates to target machines.

 

Information

GFI LanGuard operates in different environments and relies on various environmental variables to be in place, ports open, services running, etc. To successfully run LanGuard operations on target computers, ensure that the following variables are configured. 

Services

Make sure that the following services and processes are running on the GFI LanGuard Server:
  • GFI LanGuard XX Attendant (lnssatt.exe) - service responsible for managing all the LanGuard modules in LanGuard.
  • Remote Registry - service that enabled LanGuard to retrieve system information from Windows registry entries, details about the installed software, technical data for correct LanGuard operations. 
  • Windows Management Instrumentation - service needed to obtain management data from remote computers, which will be needed to identify the status and vulnerability of the scanned targets. Refer to the Microsoft KB article for service description.
  • Server - service that supports file, print, and named pipe sharing over the target network computers. File-sharing is needed to deploy missing patches. If this service is stopped, these functions will be unavailable.
  • Workstation - service that allows a client to request file and print resources from servers over the network. Similar to the server service, this is required by LanGuard to deploy patches remotely. 
  • 2 httpd.exe processes - these are the Apache HyperText Transfer Protocol (HTTP) server programs. Apache is used by LanGuard for its caching proxy features and allows computers to get patches. 

Ensure that the following services are running on the target machine:

  • Windows update - service required to use the WSUS file to obtain updates from Windows. If it is not running, LanGuard will not be able to apply any Windows patches.
  • Server - see above.
  • Workstation - see above.
  • Remote Registry - see above.
  • Remote Procedure Call (RPC) - service that allows communications and service requests from a program located on another computer in the network. It is essential for LanGuard scanning and remediation operations. Refer to the Microsoft KB article for service description.
  • Windows Management Instrumentation - see above.
  • Microsoft Application Experience (set to manual startup) - service that checks a Microsoft database for known compatibility problems and automatically enables workarounds. It can be found by searching for the Task Scheduler and then navigating to Microsoft > Windows > Application Experience. It needs to be active to apply application compatibility software updates. 

If the GFI LanGuard agents are configured to use a Relay Agent, ensure the following is running on the assigned Relay Agent:

  • GFI LanGuard Attendant XX Service (lnssatt.exe) - see above.
  • 2 httpd.exe processes - see above.

All of the above services are important for LanGuard operations, do not ignore any of these.

 

Access Rights and Administrative Privileges

Most activities executed by LanGuard are executed by the service account running the GFI LanGuard Attendant Service. The service account needs to be part of the local administrator group of each of the target machines that it needs to log on to and on the LanGuard server itself. We recommend using a domain administrator account since it will usually have these privileges.

The service account will need access to the following:

  • Remote registry of the target machine
  • Administrative shares
  • Event Log of the target machines

 

Firewall Ports and Permissions

GFI LanGuard and Relay Agents

GFI LanGuard utilizes Apache on the backend to handle the HTTP communication over the configured port, by default 1072 for LanGuard 12 and later, 1070 for the older LanGuard versions.  

Ensure the firewall is configured to allow Inbound connections on the configured TCP port on computers running:

  • GFI LanGuard
  • Relay Agents

To manually configure the communication port:

  1. Launch GFI LanGuard.
  2. Click Configuration tab > ManageAgents.
  3. From the right pane, click Agents Settings.
  4. From the Agents Settings dialog, specify the communication port in the TCP port text box.
  5. Click OK.

Note: It is possible to change the port but NOT the protocol.

 

Agent and Agent-less computers

Ensure your firewall is configured to allow Inbound requests on the ports in the table below, for:

  • Computers running Agents
  • Agent-less computers
TCP Ports Protocol Description
22 SSH Auditing Linux systems.
135 DCOM Dynamically assigned port.
137 NetBIOS Computer discovery and resource sharing.
138 NetBIOS Computer discovery and resource sharing.
139 NetBIOS Computer discovery and resource sharing.
161 SNMP

Used for computer discovery. GFI LanGuard supports SNMPv1 and SNMPv2c.

SNMPv3 and SNMP over TLS / DTLS are not supported.
445 SMB

Used while:

  • Auditing computers.
  • Agent management.
  • Patch deployment.

Ignoring port requirements will result in the scanning and remediations failing since the communication between the LanGuard server and the target clients will be impeded.

 

Network Connectivity and Security Permissions

GFI LanGuard requires the correct network settings and security permissions for the server to perform operations to computers remotely. Make sure to Test Network Connectivity and Security Permissions for GFI LanGuard Operations.

Note: If you are using VPN make sure ICMP communication is enabled.

 

File and Printing Sharing

Ensure that File and Printing Sharing is enabled, the account used has correct credentials and administrative rights to access remote computers.
 
For example, Microsoft Windows XP has a policy that interprets users outside the domain as Guest users, and the account is disabled by default. In this situation, you will receive this message in GFI LanGuard:
 
Error (1326) Logon Failure: unknown user name or bad password.
 
To change access rights settings and resolve this issue:
  1. Go to Control Panel > Administrative Tools > Local Security Policy.
  2. From the left pane of the Local Security Policy console, expand Local Policies and select Security Options.
  3. From the right pane, double-click Network access: Sharing and security model for local accounts.
  4. From the drop-down menu, change Guest-only - local users authenticate as Guest to Classic - local users authenticate as themselves.
  5. Click OK

Microsoft Windows, newer than Windows XP, have Network access security settings configured properly by default. However, if you experience the above problem on machines running Windows Vista and Windows 7, follow the steps above to change the access rights settings for that scan target.

 

Windows XP ONLY - disable Simple File Sharing

Simple File Sharing is enabled by default in Microsoft Windows XP Professional, and this stops GFI LanGuard from accessing certain components of the system remotely.
 
To disable Simple File Sharing:
  1. Open Windows Explorer and click Tools > Folder Options.
  2. From the Folder Options dialog, click the View tab.
  3. Deselect Use simple file sharing option and click OK.

WARNING: For Microsoft Windows XP Home Edition, you cannot perform the mentioned changes, and therefore remote scanning results in limited information retrieval and processing.

 

Related Articles

Related articles