documentxp

CONFIGURING WINDOWS XP SERVICE PACK 2 MACHINES FOR MANAGEMENT WITH SHAVLIK HFNETCHKPRO™

Copyright

© 2004 Shavlik Technologies. All rights reserved.

No part of this document may be reproduced or retransmitted in any form or by any means electronic, mechanical, or otherwise, including photocopying and recording for any purpose other than the purchaser’s personal use without written permission of Shavlik Technologies.

Trademarks

Shavlik, the Shavlik logo, and Shavlik HFNetChkPro are trademarks of Shavlik Technologies. Microsoft and Windows are registered trademarks of Microsoft Corporation.

All other trademarks, tradenames, or images mentioned herein belong to their respective owners.

Document information and print history

Configuring Windows XP Service Pack 2 Machines for Management with Shavlik HFNetChkPro

Document number: N/A Date Version Description August 2004 Shavlik HFNetChkPro 4.3 Initial release of this guide.

Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™ Table of Contents

TABLE OF CONTENTS

OVERVIEW ................................................................................................................................................ 1

CONFIGURING WINDOWS XP SP2 ON STAND-ALONE SYSTEMS FOR MANAGEMENT WITH SHAVLIK HFNETCHKPRO........................................................................................................................................ 2

Configuring the Windows Firewall ........................................................................................................................ 2 Resetting the Windows Firewall ........................................................................................................................... 7

CONFIGURING WINDOWS XP SP2 VIA GROUP POLICY FOR DOMAIN JOINED MACHINES FOR MANAGEMENT WITH SHAVLIK HFNETCHKPRO............................................................................................ 8

Configuration steps............................................................................................................................................... 9 Enhanced security .............................................................................................................................................. 12 When the machine is not joined to a domain-managed network ....................................................................... 15

SUMMARY............................................................................................................................................... 16

August 2004 iii

Table of Contents Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™

iv August 2004

Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™ Overview

OVERVIEW

The Shavlik HFNetChkPro™ security patch scan and deployment function operates in what's known as an 'agentless' fashion. That is, it can scan remote machines on the network and deploy patches to these machines without requiring that special agent software reside on each machine. In order to perform agentless management functions, the Shavlik HFNetChkPro application relies upon the same network protocols and authentication used by other Microsoft tools including network logons, file and printer sharing, remote viewing of event logs and performance monitoring, among others. These communication methods are typically referred to as 'NetBIOS' or DirectHost services. NetBIOS and DirectHost services rely upon a combination of TCP and UDP network ports, specifically TCP 139, TCP 445, UDP 137, and UDP 138. These services are installed by default on Windows NT 4.0 and Windows 2000 systems, as well as domain-joined Windows XP systems. With the advent of Windows XP Service Pack 2 (SP2) these services are, by default, no longer available to remote systems. The new Windows Firewall that ships in Windows XP SP2 marshals access to these services, and prevents connections to all network ports. While increasing the security posture of each machine, the default setting of the Windows Firewall means that applications such as file and printer sharing, web hosting, and scanning and deploying patches with Shavlik HFNetChkPro will not function as expected. The following guidance discusses the methods by which Windows XP SP2 machines may be configured to enable management by Shavlik HFNetChkPro while still enabling a strong security posture via the Windows Firewall. The document is divided into several sections - the first, discussing local configuration on machines that are not managed by a domain, and the second discusses machines that are part of a Windows 2000 Active Directory domain. While reviewing this information, please keep in mind that all recommended settings should first be tested in a non-production lab environment. Also, these recommendations may be part of a larger set of organization requirements and should be considered alongside other necessary firewall configuration settings.

August 2004 1

Stand-Alone Systems Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™

CONFIGURING WINDOWS XP SP2 ON STAND-ALONE SYSTEMS FOR MANAGEMENT WITH SHAVLIK HFNETCHKPRO

In order to scan and deploy patches to Windows XP SP2 systems, Shavlik HFNetChkPro needs remote access to either TCP 139 or TCP 445. This section describes how to configure the Windows Firewall to enable access to these ports.

Configuring the Windows Firewall

To configure the Windows Firewall:

1. Go to the Windows Control Panel and select Windows Firewall.

The following dialog appears:

From this dialog it is possible to enable, disable, or configure the Windows Firewall.

2 August 2004

Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™ Stand-Alone Systems

Alternate Methods: You may also access this interface by opening the Microsoft Security Center from the Control Panel, from the system tooltray, or by right-clicking the Network Connection icon in the tooltray and selecting Change Windows Firewall settings.

(The red shield with the white ‘x’ is the Microsoft Security Center icon in the tooltray shown above.)

After launching the Windows Security Center (above), click Windows Firewall to access the Windows Firewall screen.

August 2004 3


2. On the Windows Firewall Screen, select the Exceptions tab.

On this tab, you can choose to enable the File and Print Sharing services (as well as other listed services). By enabling File and Printer Sharing services, TCP ports 139 and 445, and UDP ports 137 and 138, as well as ICMP echo request (ping) services will be enabled, while all other (non-selected) services will be firewalled.

By default, the File and Printer Sharing services will be available to other machines on the same local IP subnet. If the Shavlik HFNetChkPro console resides on the same IP subnet as the Windows XP SP2 machines, this is all that is necessary to enable scanning and deployment of patches from Shavlik HFNetChkPro.

3. If the Shavlik HFNetChkPro console resides on a remote IP subnet, the list of

allowed machines can be modified to include the console machine. Highlight the File and Printer Sharing service and click Edit.

4 August 2004


The list of related services is displayed along with the ‘scope’ or list of machines allowed to interact with each port.

4. Select the desired port and click Change Scope.

HINT: Shavlik HFNetChkPro requires access to either TCP 139 or TCP 445. Access to the UDP ports is not required. You may reduce the number of open ports by selecting either TCP 139 or TCP 445—however, selection of TCP 445 also enables ICMP echo requests (ping). To make the machine appear ‘invisible’ to network ping sweeps, yet still be manageable by Shavlik HFNetChkPro, choose TCP 139 only.

August 2004 5


Three options exist to specify machines that are allowed to communicate with the specified ports on the Windows XP SP2 machine: Any Computer, My network, and Custom list.

5. While the default My network may suffice in many instances, to provide enhanced security, you can limit access by specifying only the IP address of the Shavlik HFNetChkPro console.

Barring any other corporate requirements, it is possible to configure each Internet Firewall so that only one port – TCP 139 – is open. Further, this port is only accessible by the specified Shavlik HFNetChkPro console IP address. Ping sweeps and port scans originating from any other non-specified IP address will not identify any live machines or running services on the Internet Firewall protected machines. Shavlik HFNetChkPro, however, will continue to scan and manage the firewalled systems.

6 August 2004


Resetting the Windows Firewall

To reset the Windows Firewall to its default configuration:

1. Click the Advanced tab.

2. Click Restore Defaults.

August 2004 7

Domain-Joined Machines Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™

CONFIGURING WINDOWS XP SP2 VIA GROUP POLICY FOR DOMAIN JOINED MACHINES FOR MANAGEMENT WITH SHAVLIK HFNETCHKPRO

If the Windows XP SP2 machines are part of a Windows 2000 or later domain, it may be possible to centrally configure the Internet Firewall through the use of Group Policy.. When the XP SP2 machines logon to the network, they will inherit the customized Group Policies, thus opening the Windows Firewall ports required for Shavlik HFNetChkPro scanning and patch deployment. This is the Microsoft recommended method to centrally manage Internet Firewall settings.

To use the Group Policy interface to manage the Personal Firewall, you must first download the Group Policy Management Console with Service Pack 1. This MMC utility should be installed on a Windows XP SP2 machine that is a member of your domain. This Windows XP system and MMC will be used to configure the Internet Firewall Group Policy settings for all Windows XP SP2 systems on the specific domains.

Note: Installation of this MMC tool requires the .NET Framework 1.1 be installed on your Windows XP system.

The MMC tool is available from Microsoft from the following URL:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887

8 August 2004

Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™ Domain-Joined Machines

Configuration steps

1. After installing the MMC tool, launch the new Group Policy Management icon in the Administrator Tools folder.

2. Select the Forest and the Domain for which you wish to create a Windows Firewall Policy.

August 2004 9


3. Right-click the entry for Default Domain Policy and select Edit.

This will open a Group Policy window for the selected domain.

4. Expand the Computer Configuration tree and navigate to the Administrative Templates -> Network Connections -> Windows Firewall -> Domain Profile folder, as illustrated in the previous figure.

10 August 2004


The simplest way to enable Shavlik HFNetChkPro to scan and deploy patches to domain-connected Windows XP SP2 machines is to enable the policy Windows Firewall: Allow file and printer sharing exception.

5. Right-click Windows Firewall: Allow file and printer sharing exception and select Properties.


6. Choose Enabled and then enter localsubnet in the Allow unsolicited incoming messages from field.

7. To save these settings click Apply and then OK.

August 2004 11


Enabling File and Printer Sharing access will open TCP ports 139 and 445, UDP ports 137 and 138, and ICMP echo request (ping), making these services available to other machines on the same local IP subnet. This will also enable Shavlik HFNetChkPro to perform patch scans and deployments to these machines (as long as the Shavlik HFNetChkPro console is located in the same IP subnet as the target Windows XP SP2 machine.) To systems outside of the local subnet, these Windows XP SP2 machines will appear completely firewalled.

Enhanced security

To further enhance security, you can replace localsubnet with a specific IP address or addresses (comma separated list) that represent the Shavlik HFNetChkPro console(s) that are allowed to scan these machines. In this instance, only those IP addresses specified in the list will be able to communicate via File and Printer Sharing services with the domain-connected Windows XP SP2 systems. Unless specified in the rule, other machines will be unable to communicate with the firewalled machines.

For even greater security, Shavlik recommends decreasing the number of available ports to only TCP 139. This has the added benefit of disabling the ICMP echo request service. In this configuration, Shavlik HFNetChkPro can scan and deploy patches to the protected system even though it can't be 'pinged'.

To implement this configuration:

1. Reset the File and Printer Sharing exception policy to Not Configured.

2. Right-click the Windows Firewall: Define port exceptions policy and choose Properties.


12 August 2004


3. Click Show.

4. Select Add and then type the following text:

139:TCP:localsubnet:enabled:NetBIOS

5. Click OK.

August 2004 13


6. Select Enabled

7. Click Apply on the Windows Firewall: Define port exceptions Properties

window and the click OK.

The above setting will enable inbound connections to each machine over TCP 139 from other machines in the same IP subnet, while preventing access from any other systems not on the same subnet. To further enhance security, you can replace 'localsubnet' with a specific IP address or addresses (comma separated list) that represent the HFNetChkPro console(s) that are allowed to scan these machines. In this instance, only those IP addresses specified in the list will be able to communicate with the domain connected Windows XP SP2 systems. Unless specified in the above rule, other machines will be unable to communicate with the firewalled machines. If you'd like to enable local machine administrators to specify additional port exceptions for their own machines, select and enable Allow local port exceptions. If you leave this setting as Not configured, only the ports defined in the Define port exceptions list will be allowed to domain connected machines. The next time the Windows XP SP2 machines refresh their computer configuration policy from the domain controller, they will inherit the above created group policy settings. These settings will apply any time that the system is connected to a network that contains a domain controller.

14 August 2004


When viewing the Windows Firewall configuration settings from the local machine’s control panel, the specified exception will appear as a checked and greyed File and Printer Sharing item, as illustrated here.

When the machine is not joined to a domain-managed network

When the system is removed from a domain-managed network, it will operate under the group policies defined by the 'Standard Profile' (as opposed to the domain profile discussed earlier). The default setting for the Standard Profile will enable the Windows Firewall and will disallow connections to the File and Printer Sharing services, thereby preventing management by Shavlik HFNetChkPro. Local system administrators can disable or otherwise configure the Windows Firewall unless the Standard Profile is configured enabled for Protect all network connections. Configure the Standard Profile settings as per your corporate guidelines.

August 2004 15

Summary Configuring Windows XP SP2 Machines for Management with Shavlik HFNetChkPro™

SUMMARY

Shavlik HFNetChkPro requires access to either TCP port 139 or 445. Both of these ports are blocked by default after the installation of Windows XP SP2. By configuring the Internet Firewall, either manually at each console, or centrally via Group Policy, it is possible to enable access such that the Shavlik HFNetChkPro console can perform patch scan and deployment functions, while the firewalled machines remain essentially ‘invisible’ to all other machines on the network. This security stance increases the general security of the Windows XP SP2 machines on the network, while continuing to be protected by the industry leading Shavlik HFNetChkPro security patch management application.

For additional information about Windows XP SP2 and the Windows Firewall, please refer to the following Microsoft URLs: • General Windows XP SP information

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx • Deploying Windows Firewall settings for Windows XP SP2

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1

Shavlik Technologies 2665 Long Lake Rd, Suite 400

Roseville, MN 55113

16 August 2004

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en



documentxp

Documents

windows xp sp2 machines

windows xp systems

trademarks shavlik

windows nt

shavlik hfnetchkpro

shavlik logo

new windows firewall

windows xp sp2 marshals