SmokinGun
Junior Member
Posts: 2
Registered: 7-13-2006
Member Is Offline
|
![[*]](./images/xpsilver/default_icon.gif) posted on 7-13-2006 at 11:45 AM |
|
|
Bypass firewall?
Hello,
I'm a system admin that would like to use this in my organization.
My company is currently in a mixed mode environment, half on the domain and half off. I plan on getting everyone on it as time goes on, so I'm
really only interested in getting this working for the domained folks at this time.
I downloaded this program and took it home to my personal domain. I installed it and scanned the machine next to me, no problem. However, I then
enabled the firewall of the machine next to me and it stopped everything dead in it's tracks. I added my administrator credentials, same result.
By default, users firewalls are enabled on XP installs, and users turn them on and off on their laptops when they travel, etc. If all it takes to
kill these software scans is a user turning on the firewall, I don't see how this could ever become useful in my organization. Sure, I could do a
group policy and knock out all the users firewalls, but people that travel need them in order to protect themselves.
Am I missing something or will this only work when the firewall is off on the client machines? Does this software have the capability to push some
kind of agent to the clients through AD to ensure the port needed is open? I'd love to use this but I just don't see how I could get around this
issue.
|
|
|
Komodo Support
Super Administrator
Posts: 491
Registered: 3-17-2002
Location: Springboro, Ohio, USA
Member Is Offline
Mood: Helpful
|
| posted on 7-13-2006 at 02:15 PM |
|
|
Hello. By default the Windows firewall is most secure, meaning it doesn't allow any access to the machine even if you have credentials. In a
domain, this is an easier change than in a workgroup.
In a domain, you do the following:
Enable the File and Printer Sharing exception group policy. This allows general computer and file access.
The other is to enable "Allow remote administration exception", which can be found in the following path of the Group Policy Editor is Enabled:
Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. This allows access to the remote machine via WMI.
This is similar for workgroup computers:
1. Enable the File and Printer Sharing exception under the firewall settings.
2. Change the local policy for the "remote administration exception". This can be done through the local policy editor or you can simple run this
WMI script locally on the machine to let it change the setting:
http://www.komodolabs.com/OpenFireWallForWMI.zip
We are currently working on new methods of scanning so only 1 change needs to be made instead of 2.
Please let us know if we can be of further assistance.
|
|
|
SmokinGun
Junior Member
Posts: 2
Registered: 7-13-2006
Member Is Offline
|
| posted on 7-21-2006 at 08:51 PM |
|
|
Ok, I set up a new OU and put my test machines in it. I applied the group policy's Allow remote administration exception and Allow file and printing
sharing exception. I also set the group policy refresh to update every 7 seconds.
After doing this, I checked the firewall settings on the client machine and file and printer sharing was greyed out, meaning it took the policy. I
turned the rest of the firewall on and checked the don't allow exceptions option. I opened NEWT and tried to scan the test machine, but got an
error. NEWT's scan status says "computer off? The network path was not found". I then tried to ping the client machine from a command prompt, no
response.
I then turned the firewall completely off on the client. I could then ping the machine. I then opened NEWT and ran a scan, it worked without
error.
It looks as if I need some other kind of group policy to allow NEWT to work around a client that has their windows firewall turned on and not allowing
exceptions. Any idea what it is?
|
|
|
Komodo Support
Super Administrator
Posts: 491
Registered: 3-17-2002
Location: Springboro, Ohio, USA
Member Is Offline
Mood: Helpful
|
| posted on 7-22-2006 at 09:17 AM |
|
|
It could be that ping requests are not enabled by default when setting up a new OU like they are on a detached Windows XP box.
Try re-enabling the firewall, but then under ICMP Settings, enable the setting called "Allow incoming echo request".
Hopefully, you should then have a fully working setup.
|
|
|
