Windows Domain Account: Group Policy Settings

Group Policy settings required for trusted scanning of Windows systems (2003, XP, Vista, 7, 2008, 2012) systems are described below.

Important!  We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. Qualys does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.

Security Options

The Security Options settings are located here:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Setting

Value

Description

Network access: Sharing and security model for local accounts

Classic

(Required)  Local users authenticate as themselves. (This is the equivalent of turning off simple file sharing.)

Accounts: Guest account status

Disabled

(Optional)  These settings ensure that systems are configured correctly. In many environments, it's likely this behavior is the default for a domain joined system.

Network access: Let Everyone permissions apply to anonymous users

Disabled

User Access Control: Admin Approval Mode for the Built-in Administrator account

Disabled

(Required for Compliance and SCAP scans) Applicable to Windows Vista and later systems. These settings turn off User Access Control (UAC).

User Account Control: Detect application installations and prompt for elevation

Disabled

User Account Control: Run all administrators in Admin Approval Mode

Disabled

System Services

The System Services settings are located here:

Computer Configuration > Windows Settings > Security Settings > System Services

Setting

Value

Description

Remote registry

Automatic

(Required)  This ensures that the Remote Registry service is running on the target machines in the domain.

Server

Automatic

(Required)

Windows Firewall

Automatic

(Required)  This setting must be set to Automatic in the System Services settings in order for the operating system to accept incoming connections. In the Windows Firewall section (in the Computer Configuration section), it may be set to Permissive or Blocking.

Administrative Templates

The Administrative Template settings are located here:

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

For the setting "Windows Firewall: Protect all network connections" the value can be Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your networking environment. By choosing Enabled, if the firewall blocks a port, the port is not vulnerable unless the port is later opened. As best practice you should re-scan anytime you open a port that was previously not open.

Setting

Value

Description

Windows Firewall: Protect all network connections

Disabled

(Recommended)  This is the only way to ensure every open port on your system is scanned.

Windows Firewall: Protect all network connections

Enabled

When set to Enabled, set the additional Windows Firewall settings below.

 

If Enabled, these settings are also required.

Setting

Value

Description

Windows Firewall: Allow remote administration exception

Enabled

(Required)  See below about entering IPs in the field "Allow unsolicited messages from".*

Windows Firewall: Allow file and printer sharing exception

Enabled

(Required)  See below about entering IPs in the field "Allow unsolicited messages from".*

Windows Firewall: Allow ICMP exceptions

Enabled

(Optional for Vulnerability Scan, Required for Compliance Scan)  This must be set with the option "Allow inbound echo request".

 

* In the "Allow unsolicited messages from" field, enter "*" (do not enter quotes) or the IP address assigned to your scanner appliance(s) to be used for internal scanning. To view the scanner IP addresses for your account, go to Help > About on the top menu bar.