Beyondtrust

Knowledge Base

The BeyondTrust Knowledge Base provides answers to many of the more common technical questions regarding our product line. If you want to browse the knowledge base, please simply leave the search fields at their default values and then click the search button.

Knowledge Base Article ID: KB000760

Microsoft Windows has several security and configuration settings which affect the ability for vulnerability assessment products to remotely access local resources required for file and registry scanning. Before making the changes below, first verify that your company's security policy allows for this remote access.

Note: This KB does not apply to scans performed using PowerBroker Endpoint Protection or Retina Protection Agent. These products perform local vulnerability assessment and are an excellent way to retrieve vulnerability scan results without modifying client configuration.



In order to properly scan Windows machines, please check and perform the following:

STEP 1
Local security policy setting: Set "Network access: Sharing and security model for local accounts" to "Classic".

Purpose: For the specified account used when scanning remotely to inherit its local permissions, this needs to be changed to "Classic" as follows (the same can be changed similarly from the Domain policy):

a) From the Control Panel, select "Administrative Tools".
b) Select "Local Security Settings".
c) From the left pane, expand "Security Settings" -> Local Policies -> Security Options.
d) From the right pane, scroll down to "Network access: Sharing and security model for local accounts" and modify it to "Classic". After exiting from the Management Console, the setting should take affect immediately.

STEP 2
Disable (or set exceptions within) Windows Firewall.

Purpose: Allows proper communication between the Retina scanner and the target host.

a) From the Control Panel, select Windows Firewall
b) Either disable the Windows Firewall or make exceptions for File and Print Sharing.

NOTE: Retina requires that TCP/445 (Microsoft-DS SMB file sharing) or TCP/139 (NetBIOS Session Service) be open on the scan target. These are standard file sharing ports, and are open by default on most versions of Windows. Verify that no in-line devices such as network firewalls are restricting access to these ports.

STEP 3
Enable "Remote Registry" service.

Purpose: For Retina to be able to read the registry keys and values, this service needs to be enabled as follows:

a) From the Control Panel, select "Administrative Tools".
b) Select "Services".
c) Search for the name "Remote registry" and double-click the entry.
d) In the dialog box, press the "Start button". Also from here, it can be configured to start automatically upon system startup by setting the "Startup type" to "Automatic".

STEP 4
Local security policy setting: "Network access: LAN Manager authentication level" is set to either a) all machines set the same or b) "Send LM & NTLM - use NTLMv2 session security if negotiated".

Purpose: The setting should match as what is configured on the Retina scanner so that proper authentication protocols are used. The option in found as follows:

a) From the Control Panel, select "Administrative Tools".
b) Select "Local Security Settings".
c) From the left pane, expand "Security Settings" -> Local Policies -> Security Options.
d) From the right pane, search for the option in question and compare both what is configured on the scanner and target host. Testing suggests that the system may require a reboot after making the change and doesn't necessarily take affect immediately.

Note: "Send LM & NTLM - use NTLMv2 session security if negotiated" will ensure the scanner can communicate with all NTLM/LM settings in case of Windows workgroup computers (ie non domain machines) are not set the same.

STEP 5 (Windows Visa and Later)
Starting with Windows Vista, Microsoft introduced User Account Control (UAC). UAC is enabled by default and can be disabled only from the registry. Please note, this involves modifying the registry and the usual precaution about backing it up prior to proceeding any further applies.

Purpose: In order to authenticate without UAC remotely, the below registry key must be set to allow this. For further information visit: http://support.microsoft.com/kb/942817

Create the following registry key and value:

a) From the "Run" dialog box (Press WINDOWS_KEY + 'r'), type "regedit.exe" which starts the Registry Editor.
b) Locate the following registry key: HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
c) In this registry key, create the following DWORD value and set it to '1': LocalAccountTokenFilterPolicy
d) A system reboot is required after making the change and doesn't take affect immediately.