Sign in with
Sign up | Sign in
Your question

Configuring Windows XP SP2 Firewall for Network-based Scan..

Last response: in Windows XP
Share
Anonymous
March 4, 2005 1:45:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.
Anonymous
March 4, 2005 3:05:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Find out what port(s) your security scanner requires and open up that up on
the Windows firewall.

"tealblue" wrote:

> We run a network based scanner, similar to Nessus, to check for
> vulnerabilities on client machines. Assuming Windows XP is running, is there
> a way to administratively be able to take the firewall down, or open up a
> port, so we can complete the scan. Ideally, no user interactiion or
> intervention would be required.
>
> Thanks.
Anonymous
March 4, 2005 5:25:26 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"tealblue" <tealblue@discussions.microsoft.com> wrote in message
news:3B99197E-8E88-427E-AFE8-DD1795B1F0BA@microsoft.com...
> I am not talking about a home environment,, I am an IT Admin and I need to
> scan machines on my internal network for vulnerabilities that go beyond
what
> AV software and the firewall can protect..
>
> I am looking for guidance on how to take the firewall down for **seconds**
> while we do this scan.
>

Well IMHO, here is the bottom line:
If you are able to disable the firewall, even temporarily, then you are 100%
vulnerable, 100% of the time. Period.

I'm no guru, but I know that if I can do something like this, so can the
'hacker'.

I'm getting the impression you know more about the specific vulnerability
than you are telling. Perhaps you could be more forthcoming with the details
and someone could help you further?

--ScareCrowe
Anonymous
March 6, 2005 3:40:49 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The easy answer is to find out what port your scanning service uses and open
it with the scope set to the scanning machines. Unfortunately, many scanning
utilities don't always work over a fixed port. The ipsec bypass feature was
created just for that purpose. It relies on the authentication of the
incoming peer using ipsec, then consults the Active Directory against a
group policy defined set of allowed computers which can access all ports. It
requires a minimal ipsec policy rollout, typically using kerberos
authentication. You'll also want to create a speicifc security group for
your scanning machines.

there's a firewall deployment guide on Microsoft.com (and maybe the technet
articles as well) which can walk you through this feature.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"tealblue" <tealblue@discussions.microsoft.com> wrote in message
news:FDF17C6E-8B2D-421F-A114-CF5349CD14CF@microsoft.com...
> We run a network based scanner, similar to Nessus, to check for
> vulnerabilities on client machines. Assuming Windows XP is running, is
> there
> a way to administratively be able to take the firewall down, or open up a
> port, so we can complete the scan. Ideally, no user interactiion or
> intervention would be required.
>
> Thanks.
!