Overview

This article provides step-by-step processes on scanning a Microsoft Windows Vista / Server 2008 / Windows 7 machine.

Process

By default, the Microsoft Windows Vista, Microsoft Windows 7 and Microsoft Windows 2008 built-in firewall disable various ports and services.

The following settings must be made on a Windows Vista / Windows 7 / Server 2008 machine which will be scanned remotely using GFI EventsManager.

Setting 1: Enabling Remote Event Log Management

• Microsoft Windows Vista and Microsoft Windows Server 2008
  1. Choose Control Panel > Security: Allow a program through Windows Firewall > Exceptions.
  2. Select the following rules:
     • Remote Event Log Management
     • File and Printer Sharing
     • Network Discovery
  3. Confirm the changes. 
• Microsoft Windows 7
  1. Choose Control Panel > System and Security.
  2. In the Windows Firewall section, click on 'Allow a program through Windows Firewall'.
  3. From the Allowed programs and features list, enable the following rules:
     • Remote Event Log Management
     • File and Printer Sharing
     • Network Discovery
  4. Select Domain, Private and Public for each rule mentioned above.
  5. Click OK to apply changes.

Setting 2: Enabling Microsoft SQL Server Port

In order to access a remote SQL server, you have to create a firewall rule on the SQL server host that allows communication on TCP port 1433.

• Microsoft Windows Vista and Microsoft Windows Server 2008
  1. Choose Control Panel > Security: Allow a program through Windows Firewall > Exceptions.
  2. Click on 'Add port'. In the 'Add port' window enter the following properties:
     • Name: SQL Server port
     • Port Type: TCP
     • Port Number: 1433
  3. Confirm the changes.
• Microsoft Windows 7
  1. Choose Control Panel > System and Security > Windows Firewall.
  2. Click on the Advanced Settings link.
  3. Right-click on Inbound Rules and select New Rule.
  4. Select Port and click Next.
  5. Ensure TCP is selected.
  6. Select 'Specific local ports' and enter 1433.
  7. Click Next to proceed.
  8. Select the option 'Allow the connection' and click Next.
  9. Tick the options 'Domain' and 'Private'. Click Next.
  10. Enter the name SQL Server port and click Finish.

Setting 3: Enabling GFI EventsManager Port

In order for GFI EventsManager to be able to collect Windows Events from Microsoft Vista and newer operating systems, UDP/TCP port 49153 needs to be allowed.

• Microsoft Windows Vista and Microsoft Windows Server 2008
  1. Choose Control Panel > Security: Allow a program through Windows Firewall > Exceptions.
  2. Click on 'Add port'. In the 'Add port' window, enter the following properties:
     • Name: GFI EventsManager port
     • Port Type: TCP
     • Port Number: 49153
  3. Confirm the changes.
• Microsoft Windows 7
  1. Choose Control Panel > System and Security > Windows Firewall.
  2. Click on the Advanced Settings link.
  3. Right-click on Inbound Rules and select New Rule.
  4. Select Port and click Next.
  5. Ensure TCP is selected.
  6. Select 'Specific local ports' and enter 49153.
  7. Click Next to proceed.
  8. Select the option 'Allow the connection' and click Next.
  9. Tick the options 'Domain' and 'Private'. Click Next.
  10. Enter the name GFI EventsManager port and click Finish.

More information

• In order to scan a Microsoft Windows Vista / Windows 7 / Server 2008 machine, it is required to use domain admin accounts since only these accounts have the full administrator access token necessary to access the registry and system files. Due to User Account Control (UAC), it is not possible to scan Microsoft Windows Vista / Windows 7 / Server 2008 machine using local accounts when UAC is enabled.
• In order to scan Microsoft Windows Vista / Server 2008 machine remotely using local accounts, it is necessary to disable UAC completely or disable UAC for remote operations only.
• UAC can be disabled completely by altering security policies as follows:
  1. Open the Security Policy Manager snap-in (Start > Run > secpol.msc).
  2. In the Security Options setting, 'Run all administrators' in Admin Approval Mode should be disabled.
  3. Apply the changes.
• UAC can also be disabled only for any remote operations taking place on the Microsoft Windows Vista / Windows 7 / Server 2008 machine. This can be done from the registry as follows:
  1. Open Registry Editor (Start > Run > Regedit).
  2. Browse to: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
  3. Create a new DWORD value: LocalAccountTokenFilterPolicy.
  4. Set LocalAccountTokenFilterPolicy to 1.

Notes

• For more information about UAC, refer to the Windows Vista Application Development Requirements for User Account Control Compatibility.
• For more information about firewall configuration, refer to Configure the Windows Firewall to Allow SQL Server Access.