Configuring Windows XP SP2 Firewall for Network-based Scan..

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.
3 answers Last reply
More about configuring windows firewall network based scan
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Find out what port(s) your security scanner requires and open up that up on
    the Windows firewall.

    "tealblue" wrote:

    > We run a network based scanner, similar to Nessus, to check for
    > vulnerabilities on client machines. Assuming Windows XP is running, is there
    > a way to administratively be able to take the firewall down, or open up a
    > port, so we can complete the scan. Ideally, no user interactiion or
    > intervention would be required.
    >
    > Thanks.
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "tealblue" <tealblue@discussions.microsoft.com> wrote in message
    news:3B99197E-8E88-427E-AFE8-DD1795B1F0BA@microsoft.com...
    > I am not talking about a home environment,, I am an IT Admin and I need to
    > scan machines on my internal network for vulnerabilities that go beyond
    what
    > AV software and the firewall can protect..
    >
    > I am looking for guidance on how to take the firewall down for **seconds**
    > while we do this scan.
    >

    Well IMHO, here is the bottom line:
    If you are able to disable the firewall, even temporarily, then you are 100%
    vulnerable, 100% of the time. Period.

    I'm no guru, but I know that if I can do something like this, so can the
    'hacker'.

    I'm getting the impression you know more about the specific vulnerability
    than you are telling. Perhaps you could be more forthcoming with the details
    and someone could help you further?

    --ScareCrowe
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The easy answer is to find out what port your scanning service uses and open
    it with the scope set to the scanning machines. Unfortunately, many scanning
    utilities don't always work over a fixed port. The ipsec bypass feature was
    created just for that purpose. It relies on the authentication of the
    incoming peer using ipsec, then consults the Active Directory against a
    group policy defined set of allowed computers which can access all ports. It
    requires a minimal ipsec policy rollout, typically using kerberos
    authentication. You'll also want to create a speicifc security group for
    your scanning machines.

    there's a firewall deployment guide on Microsoft.com (and maybe the technet
    articles as well) which can walk you through this feature.

    --
    David
    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "tealblue" <tealblue@discussions.microsoft.com> wrote in message
    news:FDF17C6E-8B2D-421F-A114-CF5349CD14CF@microsoft.com...
    > We run a network based scanner, similar to Nessus, to check for
    > vulnerabilities on client machines. Assuming Windows XP is running, is
    > there
    > a way to administratively be able to take the firewall down, or open up a
    > port, so we can complete the scan. Ideally, no user interactiion or
    > intervention would be required.
    >
    > Thanks.
Ask a new question

Read More

Firewalls Microsoft Windows XP