Note: These requirements apply to non-domain (local) scanning only.
When preparing to run Windows trusted scans on systems running Windows 2000, 2003 and XP, be sure that the following system settings are correct. Without these settings, the service cannot perform Windows trusted scanning on target hosts in your network.
System Settings:
Enable File and Printer Sharing on Network Interface
Disable Simple File Sharing (SFS): Windows XP
Enable Remote Registry Service
Allow Remote Administration on Windows Firewall: Windows 2003, XP
A local account which is in the Administrator's group must be used.
The Server Service is typically enabled. If disabled, you can enable it via policies or scripts. Note that File and Printer Sharing, which is required for trusted scanning, will function only when the Server Service is enabled.
File and Printer Sharing must be enabled on the network interface of all hosts to be scanned (note that it is enabled by default). You can enable this manually via the Network Interface properties, or using a script with a tool such as "netset.exe" or "snetcfg.exe".
Netset.exe is a Windows command-line tool that supports changing network interface settings. For information see:
http://support.microsoft.com/default.aspx?scid=268781
Snetcfg.exe is a Microsoft Development Kit tool. For information see:
http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/bc2ef5a6df39fdad
Compiled versions of snetcfg are available for Windows 2000 and Windows XP.
Simple File Sharing (SFS) must be disabled on Windows XP systems to be scanned. SFS is disabled by default when a Windows XP Pro system joins a domain, so no configuration should be necessary to support trusted scanning on Windows XP Pro systems in an enterprise network. It's possible for users to enable SFS so there may be a need to use a Group Policy or other means to ensure that this is disabled.
If you wish to scan a Windows XP Home system or a Windows XP Pro system, which has not been added to a domain, then SFS must be disabled on these systems.
It's possible to disable this option manually per machine. To do this on the local machine, open Windows Explorer (not IE) and go to Tools > Folder Options > View. Under Advanced settings, uncheck the setting "Use simple file sharing (Recommended)" and then click OK.
The scanning engine must access the system registry to perform Windows trusted scanning. To allow the scanning engine access to the system registry, the Remote Registry service must be enabled. To check this, go to Control Panel > Administrative Tools > Services and verify that the service is running and set to start automatically.
To allow access through Windows Firewall (if used), be sure to set the Remote Administration Exception within the Windows Firewall. Using Group Policy, this setting can be found under:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile (Or replace Standard Profile with Domain Profile if your computer is a member of a Windows domain.)
If you manage your firewall through the Control Panel, you must enable TCP ports 135 and 445.