Wednesday, March 2, 2011

Enable MBSA Remote Scan Through Windows Firewall

I am using MBSA for Windows server security audit reports. Although, FAQs on MBSA outline steps for successful remote security scans using MBSA; however, GPO-based settings for managed systems require additional work. This is due permissions on registry key HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}. This solution is tested in Hyper-V based virtual environment with Windows 2008 R2, see reference website links at the end.

The startup script below uses REG and SUBINACL tools.


















The port exceptions are as follows.


Additionally; policies, "Windows Firewall: Allow inbound file and printer sharing exception" and "Windows Firewall: Allow inbound remote administration exception" are enabled for scanning server.

References:

1. http://www.microsoft.com/mbsa
2. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en


Posted by at

6 comments:

  1. tigerMarch 11, 2011 at 3:14 AM

    Hi.

    I will post a manual-work in this respect.

    Regards

    ReplyDelete
  2. drlandauDecember 4, 2011 at 10:52 PM

    Hi, it would be nice if you could post the stroings from the screenshots as text, so it's possible to copy-paste it :) Thanks.

    ReplyDelete
  3. drlandauDecember 5, 2011 at 1:12 AM

    This is the file we use:

    ConfigAdwFW-MBSA.cmd
    ---
    @Echo Off
    Cls

    Set RegKey=HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}
    Set UtilDir=\\SERVER\Utils\W2K3_ResKit\

    Reg Query "%RegKey%" | Find /i "Endpoints REG_MULTI_SZ ncacn_ip_tcp,0,49494"
    If %Errorlevel% equ 0 Goto End

    "%UtilDir%\subinacl.exe" /keyreg "%RegKey%" /setowner=Administrators
    "%UtilDir%\subinacl.exe" /keyreg "%RegKey%" /grant=Administrators=F
    "%UtilDir%\subinacl.exe" /keyreg "%RegKey%" /grant=SYSTEM=F
    Reg Add "%RegKey%" /v Endpoints /t REG_MULTI_SZ /d ncacn_ip_tcp,0,49494 /f

    :End
    ---

    ReplyDelete
  4. drlandauDecember 5, 2011 at 1:15 AM

    Make sure the FIND command contains the correct number of spaces (omitted by the browser in the above) or just use Find /i "ncacn_ip_tcp,0,49494" instead - that ought to be enough I guess.

    ReplyDelete
  5. UnknownAugust 14, 2013 at 8:29 AM

    This comment has been removed by the author.

    ReplyDelete
  6. UnknownAugust 14, 2013 at 10:16 AM

    Here the powerhell version. I kept subinacl.exe with my script (Same folder)

    Function RegistryValue($Regkey, $name)
    {
    #Change rights on regkey
    cd $PSScriptRoot
    .\subinacl.exe /keyreg $Regkey /setowner=Administrators
    .\subinacl.exe /keyreg $Regkey /grant=Administrators=F
    .\subinacl.exe /keyreg $Regkey /grant=SYSTEM=F

    #Add new value for DCOM settings
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}" -Name $name -Value ([string[]]("ncacn_ip_tcp,0,49494"))
    }
    #*=============================================

    $Regkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}"
    $name = "Endpoints"

    RegistryValue $Regkey $name

    ReplyDelete

Subscribe to: Post Comments (Atom)