Best practice Group Policy settings for authenticated scanning of Windows systems are described below.
Important! We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. Qualys does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.
The Security Options settings are located here:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Setting |
Value |
Description |
Network access: Sharing and security model for local accounts |
Classic |
(Required) Local users authenticate as themselves. (This is the equivalent of turning off simple file sharing.) |
Accounts: Guest account status |
Disabled |
(Optional) These settings ensure that systems are configured correctly. In many environments, it's likely this behavior is the default for a domain joined system. |
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
The System Services settings are located here:
Computer Configuration > Windows Settings > Security Settings > System Services
Setting |
Value |
Description |
Remote registry |
Automatic |
(Required) This ensures that the Remote Registry service is running on the target machines in the domain. |
Server |
Automatic |
(Required) |
Windows Firewall |
Automatic |
(Required) This setting must be set to Automatic in the System Services settings in order for the operating system to accept incoming connections. In the Windows Firewall section (in the Computer Configuration section), it may be set to Permissive or Blocking. |
The Administrative Template settings are located here:
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
For the setting "Windows Firewall: Protect all network connections" the value can be Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your networking environment. By choosing Enabled, if the firewall blocks a port, the port is not vulnerable unless the port is later opened. As best practice you should re-scan anytime you open a port that was previously not open.
Setting |
Value |
Description |
Windows Firewall: Protect all network connections |
Disabled |
(Recommended) This is the only way to ensure every open port on your system is scanned. |
Windows Firewall: Protect all network connections |
Enabled |
When set to Enabled, set the additional Windows Firewall settings below. |
If Enabled, these settings are also required.
Setting |
Value |
Description |
Windows Firewall: Allow remote administration exception |
Enabled |
(Required) See below about entering IPs in the field "Allow unsolicited messages from".* |
Windows Firewall: Allow file and printer sharing exception |
Enabled |
(Required) See below about entering IPs in the field "Allow unsolicited messages from".* |
Windows Firewall: Allow ICMP exceptions |
Enabled |
(Optional for Vulnerability Scan, Required for Compliance Scan) This must be set with the option "Allow inbound echo request". |
* In the "Allow unsolicited messages from" field, enter "*" (do not enter quotes) or the IP address assigned to your scanner appliance(s) to be used for internal scanning. To view the scanner IP addresses for your account, go to Help > About on the top menu bar.