Configuring Windows XP SP2 Firewall for Network-based Scanning

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

"tealblue" wrote in message
...
We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is
there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

I don't have an answer but your question makes me ask you a question:
Do you really want a firewall with the capability of being shut off
remotely? Your request seems to be counter-productive to me.

If you do accomplish this, are the clients you refer to people or boxes? If
they are people and you do this as a service, what will they're reaction be
when they find out you are disabling their protection? I'm sorry, but it
sounds more like you are trying to defeat in-place security than enforce it.

Hey maybe I'm totally off base here, but I personally will not buy a
firewall that some Joe Schmoe can disable remotely from the comfort of his
own home before hacking my box! Anyone? Anyone?

--ScareCrowe

I would think a better representation of the security of your network would
be done with the firewall inplace. A firewall is part of your security, why
take it down? The computer is operated with the firewall running on an every
day basis right? Scanning with the firewall up will reveal what is getting
through the firewall. That is the important information. What is getting
through your firewalls.

hth
DDS W 2k MVP MCSE

"ScareCrowe" wrote in message
...

"tealblue" wrote in message
...
We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is
there
a way to administratively be able to take the firewall down, or open up
a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

I don't have an answer but your question makes me ask you a question:
Do you really want a firewall with the capability of being shut off
remotely? Your request seems to be counter-productive to me.

If you do accomplish this, are the clients you refer to people or boxes?
If
they are people and you do this as a service, what will they're reaction
be
when they find out you are disabling their protection? I'm sorry, but it
sounds more like you are trying to defeat in-place security than enforce
it.

Hey maybe I'm totally off base here, but I personally will not buy a
firewall that some Joe Schmoe can disable remotely from the comfort of his
own home before hacking my box! Anyone? Anyone?

--ScareCrowe

I am not talking about a home environment,, I am an IT Admin and I need to
scan machines on my internal network for vulnerabilities that go beyond what
AV software and the firewall can protect..

I am looking for guidance on how to take the firewall down for **seconds**
while we do this scan.

"ScareCrowe" wrote:


"tealblue" wrote in message
...
We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is
there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

I don't have an answer but your question makes me ask you a question:
Do you really want a firewall with the capability of being shut off
remotely? Your request seems to be counter-productive to me.

If you do accomplish this, are the clients you refer to people or boxes? If
they are people and you do this as a service, what will they're reaction be
when they find out you are disabling their protection? I'm sorry, but it
sounds more like you are trying to defeat in-place security than enforce it.

Hey maybe I'm totally off base here, but I personally will not buy a
firewall that some Joe Schmoe can disable remotely from the comfort of his
own home before hacking my box! Anyone? Anyone?

--ScareCrowe

Find out what port(s) your security scanner requires and open up that up on
the Windows firewall.

"tealblue" wrote:

We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

As an admin, I need to know what is on the desktop as well. Does the user
have their AV in place and up to date? Do they have spyware running?

I know this seems strange, but philosophically we have a tough time relying
solely on the desktop to safegaurd itself.

I am not really in a position to discuss the philosophical merits of each
appraoch; I am looking for some technical guidance.

thanks.

"Danny Sanders" wrote:

I would think a better representation of the security of your network would
be done with the firewall inplace. A firewall is part of your security, why
take it down? The computer is operated with the firewall running on an every
day basis right? Scanning with the firewall up will reveal what is getting
through the firewall. That is the important information. What is getting
through your firewalls.

hth
DDS W 2k MVP MCSE

"ScareCrowe" wrote in message
...

"tealblue" wrote in message
...
We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is
there
a way to administratively be able to take the firewall down, or open up
a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.

I don't have an answer but your question makes me ask you a question:
Do you really want a firewall with the capability of being shut off
remotely? Your request seems to be counter-productive to me.

If you do accomplish this, are the clients you refer to people or boxes?
If
they are people and you do this as a service, what will they're reaction
be
when they find out you are disabling their protection? I'm sorry, but it
sounds more like you are trying to defeat in-place security than enforce
it.

Hey maybe I'm totally off base here, but I personally will not buy a
firewall that some Joe Schmoe can disable remotely from the comfort of his
own home before hacking my box! Anyone? Anyone?

--ScareCrowe

"tealblue" wrote in message
...
I am not talking about a home environment,, I am an IT Admin and I need to
scan machines on my internal network for vulnerabilities that go beyond
what
AV software and the firewall can protect..

I am looking for guidance on how to take the firewall down for **seconds**
while we do this scan.


Well IMHO, here is the bottom line:
If you are able to disable the firewall, even temporarily, then you are 100%
vulnerable, 100% of the time. Period.

I'm no guru, but I know that if I can do something like this, so can the
'hacker'.

I'm getting the impression you know more about the specific vulnerability
than you are telling. Perhaps you could be more forthcoming with the details
and someone could help you further?

--ScareCrowe

The easy answer is to find out what port your scanning service uses and open
it with the scope set to the scanning machines. Unfortunately, many scanning
utilities don't always work over a fixed port. The ipsec bypass feature was
created just for that purpose. It relies on the authentication of the
incoming peer using ipsec, then consults the Active Directory against a
group policy defined set of allowed computers which can access all ports. It
requires a minimal ipsec policy rollout, typically using kerberos
authentication. You'll also want to create a speicifc security group for
your scanning machines.

there's a firewall deployment guide on Microsoft.com (and maybe the technet
articles as well) which can walk you through this feature.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"tealblue" wrote in message
...
We run a network based scanner, similar to Nessus, to check for
vulnerabilities on client machines. Assuming Windows XP is running, is
there
a way to administratively be able to take the firewall down, or open up a
port, so we can complete the scan. Ideally, no user interactiion or
intervention would be required.

Thanks.