MBSA 2.0…so what am I missing?

On March 28, 2006, in Security, by

MBSA 1.2….just went…scanned bam…bing done.


MBSA 2.0 with the XP sp2 firewalls..even with my modfications for additional managment…either MBSA doesn’t find the machines….or when it does find them… it can’t scan the windows catalog due to firewall issues….and of course we really don’t want to turn off the firewalls at the workstations…..


…and so the instructions are as follows to get MBSA to work are below ….


I got the COM hotfix .. I think (I mean right?  it’s in 05-051.. I don’t have to edit or flag with extra keys to get those extra COMy things installed right?


And it sounds like I need to deploy that registry key?… so like.. can I ask a stupid question… I mean I know us SBSers have our own policy and all that…but it seems to me that other than this issue with MBSA it’s kinda of a decent group policy template for everyone to suck down and use in a network… so why isn’t that reg key policy already to go inside of every Windows 2003 server that would be used to control any XP sp2 firewall?  I mean like why isn’t there a blonde “install this to decently manage, patch and control your network” adm template that would just be there for a typical firm?


Does anyone have MBSA 2.0..not three mind you… scanning consistently on a SBS 2003 with ISA 2004 that didn’t add this group policy registry key..and if so how did you do it?…Otherwise I’m about to add another setting to the default SBS group policy for XP sp2 firewalls.


————————————- 

Please refer to:

MBSA 2.0 Frequently Asked Questions
http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx

Please search for the question:

How can I scan a computer that is protected by a firewall?

Generally, there’re 3 steps to complete the task. Step 2 is optional in
case there’s any unmanaged computers which does not belong to your
domain. For your convenience, I copied the steps here:

Step 1: Review system requirements

MBSA cannot scan a remote computer protected by a firewall unless the
firewall is configured to open the ports that MBSA uses to communicate
with the computer. The Windows Update Agent implements a remote scanning
interface based on DCOM. The account being used to scan must possess
local administrator rights. The computer must also be configured to meet
the following conditions:

– The Server service, Remote Registry service, and File and Print
Sharing service must be running on the remote computer.
– The required ports must be open on the firewall.
– The Windows Update Agent must be installed and the Automatic Updates
service must not be disabled.

Remote computer scans are performed using TCP port 135, a dynamic or
static DCOM port, and ports 139 and 445. In a multi-domain environment
where a firewall or filtering router separates the two networks, TCP
ports 135, 139 and 445 and UDP ports 137 and 138 must be open in order
for MBSA to connect and authenticate to the remote computer being
scanned. You must allow these ports to be open on the remote firewall if
a personal firewall is being used.

Note: The use of DCOM for remote scanning through Windows Firewall on
all versions of Windows XP may require a post-SP2 hotfix as described in
Microsoft Knowledgebase article 895200, “Availability of the Windows XP
COM+ Hotfix Rollup Package 9”. Customers may now obtain this fix by
installing the COM+ update (KB 902400) using these procedures:

1. Download the update from
http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-4
2D7-8E57-58656A3FB2F7 on the Microsoft Download Center.

2. Copy the update to the computer you are updating and open a command
prompt on that computer.

3. Run the update using the command line options described in KB article
824994 (specifically, the /B:SP2QFE command line option). Doing this
will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes,
in addition to the fixes released in the security bulletin MS05-051.

Step 2: Configure Unmanaged Computers

DCOM allocates a dynamic port by default, but a firewall blocks access
to these ports unless explicitly opened by using the following
procedure:

1. Open port 135 and a custom port in your firewall (some firewalls may
allow port 135 by default). The port you select should be checked to
ensure it is appropriate, or not associated with other applications.

2. Configure Windows Update Agent to use this static custom port by
setting a registry key as follows:
HKEY_LOCAL_MACHINE\Software\Classes\AppID\
{B366DEBE-645B-43A5-B865-DDD82
C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”
(where n is the port
number you have decided to use.) You may also configure the endpoint
using the Component Services application in Control Panel. The Windows
Update Agent – Remote Access endpoint is located under the path
Component Services\Computers\My Computer\DCOM Config. Right-click and
select Properties, then use the Endpoints tab on the Properties page to
configure the static port.

Step 3: Configure Managed Computers

Use Group Policy to deploy specific administrative firewall and COM+
settings to target computers. You may use the Group Policy editor to
create the needed configuration settings as documented in “Deploying
Windows Firewall Settings for Microsoft Windows XP with Service Pack 2”,
in the section entitled “Deploying Windows Firewall Settings With Group
Policy”.

Windows Firewall Settings: The following Windows Firewall settings
should be used:

– Windows Firewall: Allow remote administration exception. Used to
enable remote configuration using tools such as Microsoft Management
Console (MMC) and Windows Management Instrumentation (WMI).
– Windows Firewall: Allow file and print sharing exception. Used to
specify whether file and printer sharing traffic is allowed.
– Windows Firewall: Define port exceptions. Used to specify excepted
traffic in terms of TCP and UDP ports. In this step, define the same
ports as you selected for unmanaged computers and from the system
requirements step.

Additional details on the settings available within the administrative
template for Windows Firewall have been documented in “Using the Windows
Firewall INF File in Microsoft Windows XP Service Pack 2” the sections
labeled “Enabling Remote Administration” and “Adding Static Ports to
Windows Firewall’s Default Exceptions List”.

COM+ Settings: The COM+ endpoint registry settings for the Windows
Update Agent can be configured as a Group Policy registry policy object.
Guidance on how to create a policy for this is located in the Microsoft
Knowledgebase article 323639, and includes a generic sample that you can
modify. When doing this, you must base the policy registry key on the
following:

HKEY_LOCAL_MACHINE\Software\Classes\
AppID\{B366DEBE-645B-43A5-B865-DDD82
C345492}\Endpoints REG_MULTI_SZ “ncacn_ip_tcp,0,n”
(where n is the port
number you have decided to use.)

Note: When using this method, be aware that additional administrative
template settings may be needed in order to remove this registry setting
when the functionality is no longer desired.

 

3 Responses to MBSA 2.0…so what am I missing?

  1. Rob says:

    It’s strange that v2.0 can’t do what v1.2 could (scan through Windows Firewall).

    I’ve fought with this one, and have so far skipped v2.0’s (3-page) hassle, since v1.2 Just Works.

    ..Any idea why v2.0 can’t do it?

  2. Brian Kruse says:

    Ran into this myself…after going through the KB article I finally found someone’s post that led me to try the following which worked on a non-ISA system so it may or may not work with ISA. I added an exception to the GP firewall settings to allow C:\WINDOWS\SYSTEM32\dllhost.exe to accept requests from the server only. You’ll have to use %windir%\system32\dllhost.exe in the GP since the : won’t work. Hope that helps!

  3. Bill V says:

    Susan,

    I tried using 2.0 with the same problem. So, continue to use 1.2 until a version is released that will work with the firewall. No ISA here though, SBS Stnd.

    BV