How can I deploy the necessary GFI LANguard Windows XP Service Pack 2 Firewall settings via a domain Group Policy ?

The information in this article applies to:

  • GFI LANguard 9.0
  • GFI LANguard Network Security Scanner 5
  • GFI LANguard Network Security Scanner 6
  • GFI LANguard Network Security Scanner 7
  • GFI LANguard Network Security Scanner 8

Article ID: KBID002177

Query keywords: SP2, XP

The necessary changes to be done to the default firewall settings include the following:

  1. Opening a number of ports (135, and one or more in the range 1070-1170).
  2. Enabling file sharing.
  3. Enabling WMI administration.

You can apply the necessary firewall settings

  • On a computer by computer basis, or
  • Via an Active Directory domain group policy.

Deploying firewall settings on a computer by computer basis
The procedure to deploy firewall settings on a computer by computer basis can be found at http://kbase.gfi.com/showarticle.asp?id=KBID002139.

Deploying firewall settings via Active Directory Group policy
This will be achieved by configuring three different sections of a newly created Group Policy Object (GPO) which will be covered in the following steps:

Step 1: Create and set up the “LNSS firewall Settings” GPO to open the required firewall ports. 
Step 2 : Specify in the GPO the settings which will enable the Windows File and Printer sharing.
Step 3: Specify in the GPO the deployment of a .msi file which will enable WMI Administration.

Step 1: Create and set up the “LNSS firewall Settings” GPO to open the required firewall ports. 
In this step, a domain group policy will be created with the name ‘LNSS Firewall Settings ’. This new group policy will then be updated to contain Windows XP Service Pack 2 domain configurable options and setup to open the required ports for LNSS. 

On the Domain Controller: 

1. To avoid compatibility problems ensure that the machine is fully patched with the latest updates. 
2. Open the Active Directory User and Computers MMC Console (Start > Run > dsa.msc).
3. Right click on the domain you want to apply the policy and select ‘Properties’. Go to the ‘Group Policy’ tab.
4. Click on the “New…” button. Name the new GPO ‘LNSS Firewall Settings’.

 Group Policy Object Creation

On a Windows XP with Service Pack 2 computer joined to the domain:

5. Log on as domain administrator.
6. Download and install the .NET framework. (required for the next step.)
7. Download and install the Microsoft Group Policy Management Console (GPMC). The GPMC can be downloaded from: http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
8. Launch the GPMC (Start > Run > gpmc.msc).
9. Expand the tree under the forest you will be updating.
10. Expand the tree under ‘Domains’.
11. Expand the domain which you will be updating.
12. Right click on ‘LNSS Firewall Settings’ and select ‘Edit…’.

 Editing the Groupe Policy Object

13. In the Group Policy Object editor MMC console go to Computer Configuration > Administrative Templates > Network > Network Connection > Windows Firewall > Domain Profile.
14. Double click on the entry ‘Windows Firewall: Define port exceptions’. 
15. Select “Enabled”. 
16. Click on the ‘Show…’ button which will bring up the port exception list dialog. 

 Port Exception List

17. To add the port 135 to the list of ports to enable:

a. Select Add…
b. Type “135:TCP:localsubnet:enabled:RPCPort” > Select OK.  (Do not include quotes.).

18. To add the port 1070 to the list of ports to enable:

a. Select Add…
b. Type “1070:TCP:localsubnet:enabled:LNSS_FeedbackPort_1070” > Select OK.  (Do not include quotes.).

19. NOTE: To add one or more ports in the range 1070-1170 repeat this step for every port replacing the number 1070 with the respective port number. For e.g. to open port 1073 specify the string “1073:TCP:localsubnet:enabled:LNSS_FeedbackPort_1073”.
20. Select OK (Do not close the Group Policy Object Editor).

Step 2: Specify in the GPO the settings which will enable the windows file and printer sharing.
 (you should still be in the Group Policy Object Editor):

1. In the Group Policy Object editor MMC console go to Computer Configuration > Administrative Templates > Network > Network Connection > Windows Firewall > Domain Profile.
2. Double click on the entry ‘Windows Firewall: Allow file and printer sharing exception’. 
3. Select “Enabled”. 
4. Type “localsubnet” in the edit box provided. 
5. Select OK (Do not close the Group Policy Object Editor).

Enablnig file and printer sharing 


Step 3: Specify in the GPO the deployment of a .msi file which will enable WMI Administration.
To enable WMI administration, a running of some firewall APIs directly on the target machines is necessary. There is no direct GPO property which can be set to achieve this. You will need to deploy an MSI installation containing a .vbs file which makes the necessary firewall API calls. The GPO will be used to deploy this .msi file to the domain computers.

On the domain controller:

1. Select the newly created GPO ‘LNSS Firewall Settings’.
2. Click on the  ‘Edit…’ button. 
3. Download the file http://software.gfi.com/kbase/WMI-Enable.msi and save  to  a common share which is reachable from all machines in the domain. (e.g. \\fileserver\common\GPOFiles).
4. In the Group Policy Object editor MMC console go to Computer Configuration > Software Settings > Right Click on Software Installation node > New > Package…
5. Specify the UNC path to the .msi file e.g.: \\fileserver\common\GPOFiles\WMI-Enable.msi and select Ok. 
6. Select the option ‘Assigned’ and click on Ok. 
7. Close the Group Policy Object Editor.
8. Close the Domain Properties Dialog.
9. Close the Active Directory Users and Computers.

Done. Once all of the above steps are complete the GPO configuration is ready.

WARNING some time may be required to allow GPO replication to complete across all Domain Controllers. Machines with Windows XP SP2 will also require a reboot to have the new GPO propagated to them.

GFI LANguard will now be able to scan and deploy software updates to the target machines normally.

Common Difficulties:

Difficulty 1: GPO firewall exceptions options not available:
Repeat Step 1. The policy setting updates were not successfully applied.

Difficulty 2: Receiving the error “entry in the [strings] section is too long” when editing the GPO.
Your Domain Controller is not fully patched with the latest updates. When this is the case  you may receive the error ‘The following entry in the [strings] section is too long and has been truncated’ when trying to access the newly added GPOs options. The solution to this is documented in the Microsoft KBASE article: 
http://support.microsoft.com/default.aspx?kbid=842933

Difficulty 3: Do I really need to deploy the vbs file via an msi file ?
Yes. There is no simple system which works under any circumstance which did not use the msi file system. You can use any deployment method which fits your network in order to deploy and execute the vbs file on the target machines in the domain.

Difficulty 4: What script is contained in the msi file ?
The script can be found at http://kbase.gfi.com/showarticle.asp?id=KBID002139.

Difficulty 5: I applied the GPO settings but nothing is happening.
It is recommended you reboot the Domain Controller to enforce replication. Once the DC is rebooted and enough time has been given for replication to complete across all DC’s reboot the windows XP machines.
 
Difficulty 6: I cannot find “Windows Firewall: Define port exceptions” and “Windows Firewall: Define program exceptions” on my Windows 2000 Domain Control, but I do have the Windows Firewall sub node, what’s wrong?
It was observed that on windows 2000 domain controllers these two options were missing. The cause for this problem is so far unknown, but it does appear to be a bug in the Windows 2000 Group policy handling system. There is a workaround available though which allows one to configure these options and although these options will still not show on the domain controller, their settings will still propagate to all the clients connected to the domain. To edit these options use the GPMC utility (Start > run > gpmc.msc)  from the Windows XP with Service Pack 2 machine instead of editing them directly on the domain controller, please refer to “Step 1: Create and set up the “LNSS firewall Settings” GPO to open the required firewall ports.” section above for further information on how to achieve this.

Difficulty 7: I have followed the above outlined procedure perfectly but still WMI / LNSS port scanning does not work for me. What is wrong?
If after following the procedure above, LNSS still fails to scan the target machine or WMI based scripts fail to run correctly on the Windows XP Service Pack 2 machines, make sure you do not have any other firewall running which might be blocking these processes. If you are running other firewalls, disable them and try again.