MBSA and GP firewall settings

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I can’t get the MBSA to scan a remote XPSP2 client that has a GP configured
firewall without getting the error for the Security Updates stating that it
can scan the remote client possibly due to a firewall setting.

Here’s what I did:

1. Deployed a GP Computer Settings\Administrative Templates\Network\Network
Connections\Windows Firewall for both Domain Profile and Local Profile w/ the
following settings:

- Protect all network connections: enabled
- Do not allow exceptions: Not configured
- Define program exceptions: not configured
- Allow local program exceptions: enabled
- Allow remote administration exception: enabled: Allow unsolicit…. *
- Allow file and printer sharing exception: enabled: Allow unsolicit…. *
- Allow ICMP: enabled: Allow inbound echo request (all other options not
enabled)
- Allow Remote Desktop exception: enabled: Allow unsolicit…. *
- Allow UPnP framework exception: enabled: Allow unsolicit…. *
- Prohibit notifications: disabled
- Allow file and printer sharing exception: enabled: Allow unsolicit…. *
- Allow logging: enable (configured for local drive)
- Prohibit unicast response to multicast….: disabled
- Define port exceptions: enabled: <custom unused port>:TCP:*:MBSA (TCP port
###)
- Allow local port exceptions: enabled

2. Per the http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx
firewall section, I added the following reg key to the client workstation:
HKEY_LOCAL_MACHINE\Software\Classes
\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}\Endpoints REG_MULTI_SZ
“ncacn_ip_tcp,0,<the port number I enabled in the firewall>â€

3. Per the http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx
firewall section, I ran the following on the client computer:

WindowsXP-KB902400-x86-ENU.exe /passive /B:SP2QFE

Note that we use WSUS and this patch was already deployed successfully to
this client but I went ahead and ran it again per these instructions.

When I disable the client’s firewall, I MBSA scan’s w/out error. When I
enable the firewall, I get the Security Updates error.

What am I doing wrong?
 
Back
Top