Configuring Windows XP SP2 Firewall for Network-based Scanning

[Guest]

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

 

[ScareCrowe]

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

I don't have an answer but your question makes me ask you a question:
Do you really want a firewall with the capability of being shut off
remotely? Your request seems to be counter-productive to me.

If you do accomplish this, are the clients you refer to people or boxes? If
they are people and you do this as a service, what will they're reaction be
when they find out you are disabling their protection? I'm sorry, but it
sounds more like you are trying to defeat in-place security than enforce it.

Hey maybe I'm totally off base here, but I personally will not buy a
firewall that some Joe Schmoe can disable remotely from the comfort of his
own home before hacking my box! Anyone? Anyone?

--ScareCrowe

 

[Danny Sanders]

I would think a better representation of the security of your network would
be done with the firewall inplace. A firewall is part of your security, why
take it down? The computer is operated with the firewall running on an every
day basis right? Scanning with the firewall up will reveal what is getting
through the firewall. That is the important information. What is getting
through your firewalls.

hth
DDS W 2k MVP MCSE

 

[Guest]

I am not talking about a home environment,, I am an IT Admin and I need to
scan machines on my internal network for vulnerabilities that go beyond what
AV software and the firewall can protect..

I am looking for guidance on how to take the firewall down for **seconds**
while we do this scan.

 

[Guest]

Find out what port(s) your security scanner requires and open up that up on
the Windows firewall.

 

[Guest]

As an admin, I need to know what is on the desktop as well. Does the user
have their AV in place and up to date? Do they have spyware running?

I know this seems strange, but philosophically we have a tough time relying
solely on the desktop to safegaurd itself.

I am not really in a position to discuss the philosophical merits of each
appraoch; I am looking for some technical guidance.

thanks.

 

[ScareCrowe]

I am not talking about a home environment,, I am an IT Admin and I need to
scan machines on my internal network for vulnerabilities that go beyond what
AV software and the firewall can protect..

I am looking for guidance on how to take the firewall down for **seconds**
while we do this scan.

Well IMHO, here is the bottom line:
If you are able to disable the firewall, even temporarily, then you are 100%
vulnerable, 100% of the time. Period.

I'm no guru, but I know that if I can do something like this, so can the
'hacker'.

I'm getting the impression you know more about the specific vulnerability
than you are telling. Perhaps you could be more forthcoming with the details
and someone could help you further?

--ScareCrowe

 

[David Beder [MSFT]]

The easy answer is to find out what port your scanning service uses and open
it with the scope set to the scanning machines. Unfortunately, many scanning
utilities don't always work over a fixed port. The ipsec bypass feature was
created just for that purpose. It relies on the authentication of the
incoming peer using ipsec, then consults the Active Directory against a
group policy defined set of allowed computers which can access all ports. It
requires a minimal ipsec policy rollout, typically using kerberos
authentication. You'll also want to create a speicifc security group for
your scanning machines.

there's a firewall deployment guide on Microsoft.com (and maybe the technet
articles as well) which can walk you through this feature.