Pre-Scan Network Configuration Checklist
ZZ Servers’ security tools can gather a great deal of information from the target network with little preparation – and with very little footprint! However, if you are having trouble with scans or can configure the target network in advance, we recommend the settings below.
These checklists detail the recommended network configurations for Windows Domain and Workgroup environments.
You must have the .NET 3.5 framework installed on machines to use all data collector and server/appliance tools.
Checklist for Domain Environments
Share this checklist with your IT Administrator and ask them to configure your network’s Domain Controller as follows:
| Complete | Domain Configuration |
|---|---|
| GPO Configuration for Windows Firewall (Inbound Rules) | |
 | Allow Windows Management Instrumentation (WMI) service to operate through Windows Firewall. This includes the following rules: – Windows Management Instrumentation (ASync-In) – Windows Management Instrumentation (WMI-In) – Windows Management Instrumentation (DCOM-In) |
| Allow File and printer sharing to operate through Windows Firewall. This includes the following rules: – File and Printer Sharing (NB-Name-In) – File and Printer Sharing (SMB-In) – File and Printer Sharing (NB-Session-In) |
| Enable Remote Registry “read-only” access on computers targeted for scanning. Remote Registry access should be restricted for use by the user access account credentials to be used during network and local computer scans. |
| Enable the Internet Control Message Protocol (ICMP) to allow authorized ICMP echo request messages and ICMP echo reply messages to be sent and received by Windows computers and network devices. Windows firewall rules on Windows computers may need to be created/enabled to allow a computer: – operating the network data collector to issue ICMP echo request messages to be sent to Windows computers and network devices – to send ICMP echo reply messages in response to an ICMP echo request. ICMP requests detect active Windows computers and network devices to scan. |
| GPO Configuration for Windows Services | |
| Windows Management Instrumentation (WMI) – Startup Type: Automatic |
| Windows Update Service – Startup Type: Automatic |
| Remote Registry – Startup Type: Automatic |
| Remote Procedure Call – Startup Type: Automatic |
| Network Shares | |
| Admin$ must be present and accessible using supplied credentials (usually a local admin or user in the local Computer’s Administrative Security group) |
| 3rd Party Firewalls | |
| Ensure that 3rd party Firewalls are configured similarly to Windows Firewall rules described within this checklist. This is a requirement for both Active Directory and Workgroup Networks. |
Checklist for Workgroup Environments
Before performing a workgroup assessment, run the following PowerShell commands on the target network and the machine performing the scan. These three configurations should help you avoid most issues in a workgroup environment. Each command is followed by an explanation and link to Microsoft documentation.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /fBy default, UAC only allows remote administration tasks to be performed by the Built-in Administrator account. To work around this, this command sets the LocalAccountTokenFilterPolicy registry key to 1. This allows any local admin to perform remote administrative tasks (i.e. access to system shares C$, Admin$, etc.).
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yesThis command creates an Inbound firewall rule to allow access to the WMI service and namespaces.
https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=YesThis command creates an Inbound firewall rule which enables File and Printer Sharing on the machine. Access to the Admin$ share on remote machines requires file and printer sharing.
You can also share this checklist with your IT Administrator and ask them to configure each computer in your workgroup as follows:
| Complete? | Workgroup Configuration |
| Network Settings | |
| Admin$ must be present on the computers you wish to scan and be accessible with the login credentials you provide for the scan. |
| File and printer sharing must be enabled on the computers you wish to scan |
| Ensure the Windows Services below are running and allowed to communicate through Windows Firewall: – Windows Management Instrumentation (WMI) – Windows Update Service – Remote Registry – Remote Desktop – Remote Procedure Call |
| Workgroup computer administrator user account credentials. Before configuring scan settings for workgroups, prepare a list of the workgroup computer(s) administrator user account credentials for entry into the scan settings wizard. |
| Enable the Internet Control Message Protocol (ICMP) to allow authorized ICMP echo request messages and ICMP echo reply messages to be sent and received by Windows computers and network devices. Windows firewall rules on Windows computers may need to be created/enabled to allow a computer: – operating security tools network data collector to issue ICMP echo request messages to be sent to Windows computers and network devices – to send ICMP echo reply messages in response to an ICMP echo request. ICMP requests detect active Windows computers and network devices to scan. |