Windows Domain Account - Group Policy

Best practice Group Policy settings for authenticated scanning of Windows systems are described below.

Important!  We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. Qualys does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.

Security Options

The Security Options settings are located here:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

System Services

The System Services settings are located here:

Computer Configuration > Windows Settings > Security Settings > System Services

Administrative Templates

The Administrative Template settings are located here:

Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile

For the setting "Windows Firewall: Protect all network connections" the value can be Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your networking environment. By choosing Enabled, if the firewall blocks a port, the port is not vulnerable unless the port is later opened. As best practice you should re-scan anytime you open a port that was previously not open.

 

If Enabled, these settings are also required.

 

* In the "Allow unsolicited messages from" field, enter "*" (do not enter quotes) or the IP address assigned to your scanner appliance(s) to be used for internal scanning. To view the scanner IP addresses for your account, go to Help > About on the top menu bar.