Best practice Group Policy settings for trusted scanning of Windows 2003, XP, Vista, 7, and 2008 systems are described below. Please consult your network administrator before making changes to Group Policy as changes may have an adverse impact on your network operations, depending on your network configuration and security policies in place. Note that detailed documentation for many Group Policy settings listed below is available online when using the Group Policy Editor.
Important! We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. The service does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.
Please refer to your Microsoft documentation on Group Policy deployment for information.
The Security Options settings are located here:
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
Setting |
Value |
Description |
Network access: Sharing and security model for local accounts |
Classic |
(Required) Local users authenticate as themselves. (This is the equivalent of turning off simple file sharing.) |
Accounts: Guest account status |
Disabled |
(Optional) These settings ensure that systems are configured correctly. In many environments, it's likely this behavior is the default for a domain joined system. |
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
The System Services settings are located here:
Computer Configuration > Windows Settings > Security Settings > System Services
Setting |
Value |
Description |
Remote registry |
Automatic |
(Required) This ensures that the Remote Registry service is running on the target machines in the domain. |
Server |
Automatic |
(Required) |
Windows Firewall |
Automatic |
(Required) This setting must be set to Automatic in the System Services settings in order for the operating system to accept incoming connections. In the Windows Firewall section (in the Computer Configuration section), it may be set to Permissive or Blocking. |
The Administrative Template settings are located here:
Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
For the setting "Windows Firewall: Protect all network connections" the value can be Disabled or Enabled. Your network administrator should decide on the best option for your networking environment. Choosing Disabled is the only way to ensure that every open port on your system is scanned. By choosing Enabled, if the firewall blocks a port, the port is not vulnerable unless the port is later opened. As best practice you should re-scan anytime you open a port that was previously not open.
Setting |
Value |
Description |
Windows Firewall: Protect all network connections |
Disabled |
(Recommended) This is the only way to ensure every open port on your system is scanned. |
Windows Firewall: Protect all network connections |
Enabled |
When set to Enabled, set the additional Windows Firewall settings below. |
Additional Windows Firewall settings are required when "Windows Firewall: Protect all network connections" is Enabled, as indicated below.
Setting |
Value |
Description |
Windows Firewall: Allow remote administration exception |
Enabled |
(Required) See below about entering IPs in the field "Allow unsolicited messages from".* |
Windows Firewall: Allow file and printer sharing exception |
Enabled |
(Required) See below about entering IPs in the field "Allow unsolicited messages from".* |
Windows Firewall: Allow ICMP exceptions |
Enabled |
(Optional for Vulnerability Scan, Required for Compliance Scan) This must be set with the option "Allow inbound echo request". |
*When configuring these firewall options, you are prompted to enter a range of IPs to allow in the field labeled "Allow unsolicited messages from". In this field, you can simply type "*" (do not include the quotes) or enter your scanner IP addresses - these are the IP addresses of your Scanner Appliances (for internal scanning) and/or the IP ranges for the QualysGuard External Scanners (for external, perimeter scanning). To view the scanner IP addresses for your account, go to Help > About on the top menu bar. You will find in the General Information section the IP addresses for the External Scanners and the Scanner Appliances (if installed).