Target Host Requirements: Windows 2000, 2003, XP

Note: These requirements apply to non-domain (local) scanning only.

When preparing to run Windows trusted scans on systems running Windows 2000, 2003 and XP, be sure that the following system settings are correct. Without these settings, the service cannot perform Windows trusted scanning on target hosts in your network.  

System Settings:

Local Account

Enable Server Service

Enable File and Printer Sharing on Network Interface

Disable Simple File Sharing (SFS): Windows XP

Enable Remote Registry Service

Allow Remote Administration on Windows Firewall: Windows 2003, XP

 


Local Account

A local account which is in the Administrator's group must be used.

 


Enable Server Service

The Server Service is typically enabled. If disabled, you can enable it via policies or scripts. Note that File and Printer Sharing, which is required for trusted scanning, will function only when the Server Service is enabled.

 


Enable File and Printer Sharing on Network Interface

File and Printer Sharing must be enabled on the network interface of all hosts to be scanned (note that it is enabled by default). You can enable this manually via the Network Interface properties, or using a script with a tool such as "netset.exe" or "snetcfg.exe".

Netset.exe is a Windows command-line tool that supports changing network interface settings. For information see:
http://support.microsoft.com/default.aspx?scid=268781

Snetcfg.exe is a Microsoft Development Kit tool. For information see:
http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/bc2ef5a6df39fdad

Compiled versions of snetcfg are available for Windows 2000 and Windows XP.

 


Disable Simple File Sharing (SFS): Windows XP

Simple File Sharing (SFS) must be disabled on Windows XP systems to be scanned. SFS is disabled by default when a Windows XP Pro system joins a domain, so no configuration should be necessary to support trusted scanning on Windows XP Pro systems in an enterprise network. It's possible for users to enable SFS so there may be a need to use a Group Policy or other means to ensure that this is disabled.

If you wish to scan a Windows XP Home system or a Windows XP Pro system, which has not been added to a domain, then SFS must be disabled on these systems.

It's possible to disable this option manually per machine. To do this on the local machine, open Windows Explorer (not IE) and go to Tools > Folder Options > View. Under Advanced settings, uncheck the setting "Use simple file sharing (Recommended)" and then click OK.

 


Enable Remote Registry Service

The scanning engine must access the system registry to perform Windows trusted scanning. To allow the scanning engine access to the system registry, the Remote Registry service must be enabled. To check this, go to Control Panel > Administrative Tools > Services and verify that the service is running and set to start automatically.

 


Allow Remote Administration on Windows Firewall:  Windows 2003, XP

To allow access through Windows Firewall (if used), be sure to set the Remote Administration Exception within the Windows Firewall. Using Group Policy, this setting can be found under:

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile (Or replace Standard Profile with Domain Profile if your computer is a member of a Windows domain.)

If you manage your firewall through the Control Panel, you must enable TCP ports 135 and 445.