Overview
You are implementing GFI LanGuard architecture and are looking for the information regarding required services and open ports, environmental settings, and minimum administrative privileges needed to successfully install and manage the agents, run security scans and remediation jobs. Without these settings in place, scanning operations will fail, LanGuard won't be able to communicate with remote computers and deploy patches and updates to target machines.
Information
GFI LanGuard operates in different environments and relies on various environmental variables to be in place, ports open, services running, etc. To successfully run LanGuard operations on target computers, ensure that the following variables are configured.
Services
- GFI LanGuard XX Attendant (lnssatt.exe) - service responsible for managing all the LanGuard modules in LanGuard.
- Remote Registry - service that enabled LanGuard to retrieve system information from Windows registry entries, details about the installed software, technical data for correct LanGuard operations.
- Windows Management Instrumentation - service needed to obtain management data from remote computers, which will be needed to identify the status and vulnerability of the scanned targets. Refer to the Microsoft KB article for service description.
- Server - service that supports file, print, and named pipe sharing over the target network computers. File-sharing is needed to deploy missing patches. If this service is stopped, these functions will be unavailable.
- Workstation - service that allows a client to request file and print resources from servers over the network. Similar to the server service, this is required by LanGuard to deploy patches remotely.
- 2 httpd.exe processes - these are the Apache HyperText Transfer Protocol (HTTP) server programs. Apache is used by LanGuard for its caching proxy features and allows computers to get patches.
Ensure that the following services are running on the target machine:
- Windows update - service required to use the WSUS file to obtain updates from Windows. If it is not running, LanGuard will not be able to apply any Windows patches.
- Server - see above.
- Workstation - see above.
- Remote Registry - see above.
- Remote Procedure Call (RPC) - service that allows communications and service requests from a program located on another computer in the network. It is essential for LanGuard scanning and remediation operations. Refer to the Microsoft KB article for service description.
- Windows Management Instrumentation - see above.
- Microsoft Application Experience (set to manual startup) - service that checks a Microsoft database for known compatibility problems and automatically enables workarounds. It can be found by searching for the Task Scheduler and then navigating to Microsoft > Windows > Application Experience. It needs to be active to apply application compatibility software updates.
If the GFI LanGuard agents are configured to use a Relay Agent, ensure the following is running on the assigned Relay Agent:
- GFI LanGuard Attendant XX Service (lnssatt.exe) - see above.
- 2 httpd.exe processes - see above.
All of the above services are important for LanGuard operations, do not ignore any of these.
Access Rights and Administrative Privileges
Most activities executed by LanGuard are executed by the service account running the GFI LanGuard Attendant Service. The service account needs to be part of the local administrator group of each of the target machines that it needs to log on to and on the LanGuard server itself. We recommend using a domain administrator account since it will usually have these privileges.
The service account will need access to the following:
- Remote registry of the target machine
- Administrative shares
- Event Log of the target machines
Firewall Ports and Permissions
GFI LanGuard and Relay Agents
GFI LanGuard utilizes Apache on the backend to handle the HTTP communication over the configured port, by default 1072 for LanGuard 12 and later, 1070 for the older LanGuard versions.
Ensure the firewall is configured to allow Inbound connections on the configured TCP port on computers running:
- GFI LanGuard
- Relay Agents
To manually configure the communication port:
- Launch GFI LanGuard.
- Click Configuration tab > ManageAgents.
- From the right pane, click Agents Settings.
- From the Agents Settings dialog, specify the communication port in the TCP port text box.
- Click OK.
Note: It is possible to change the port but NOT the protocol.
Agent and Agent-less computers
Ensure your firewall is configured to allow Inbound requests on the ports in the table below, for:
- Computers running Agents
- Agent-less computers
TCP Ports | Protocol | Description |
---|---|---|
22 | SSH | Auditing Linux systems. |
135 | DCOM | Dynamically assigned port. |
137 | NetBIOS | Computer discovery and resource sharing. |
138 | NetBIOS | Computer discovery and resource sharing. |
139 | NetBIOS | Computer discovery and resource sharing. |
161 | SNMP |
Used for computer discovery. GFI LanGuard supports SNMPv1 and SNMPv2c. SNMPv3 and SNMP over TLS / DTLS are not supported. |
445 | SMB |
Used while:
|
Ignoring port requirements will result in the scanning and remediations failing since the communication between the LanGuard server and the target clients will be impeded.
Network Connectivity and Security Permissions
GFI LanGuard requires the correct network settings and security permissions for the server to perform operations to computers remotely. Make sure to Test Network Connectivity and Security Permissions for GFI LanGuard Operations.
Note: If you are using VPN make sure ICMP communication is enabled.
File and Printing Sharing
- Go to Control Panel > Administrative Tools > Local Security Policy.
- From the left pane of the Local Security Policy console, expand Local Policies and select Security Options.
- From the right pane, double-click Network access: Sharing and security model for local accounts.
- From the drop-down menu, change Guest-only - local users authenticate as Guest to Classic - local users authenticate as themselves.
- Click OK
Microsoft Windows, newer than Windows XP, have Network access security settings configured properly by default. However, if you experience the above problem on machines running Windows Vista and Windows 7, follow the steps above to change the access rights settings for that scan target.
Windows XP ONLY - disable Simple File Sharing
- Open Windows Explorer and click Tools > Folder Options.
- From the Folder Options dialog, click the View tab.
- Deselect Use simple file sharing option and click OK.
WARNING: For Microsoft Windows XP Home Edition, you cannot perform the mentioned changes, and therefore remote scanning results in limited information retrieval and processing.