Tuesday, May 5, 2015

Configuring Anti-Virus & Firewall Settings

Anti-virus programs and firewalls can block most or all of the communication to and from a computer. As a result Spiceworks may not be able to communicate with and scan devices on your network. We will separately address the two antivirus and firewall scenarios that could be causing problems, to prevent confusion.
  1. Remote computers you are trying to scan or discover from Spiceworks have the firewall locked down, resulting in either missing computers or a lack of complete data in the Spiceworks inventory.
  2. AV on the Spiceworks host device preventing Spiceworks from running correctly, or the firewall is locked down preventing communication with the remote computers, possibly both. 


Remote Computers

Firewall Settings

The following ports and protocols will need to be opened before Spiceworks can collect information from your remote computers:
  • ICMPv4 Inbound and Outbound - This is needed so that Spiceworks can discover the devices on your network; it is more commonly known as the PING command. There are a number of types of ping commands that can be permitted or blocked by various firewalls. Generally, you will want to permit commands 0, 3, 8 and 11.
  • TCP Ports 135 and 445 Inbound - This is needed for Windows Management Instrumentation (WMI) which Spiceworks uses to get detailed information about Windows computers.
  • UDP Port 137 Inbound - This is needed so that Spiceworks can gather information from the Windows Registry.

Windows Firewall

If the devices you are trying to scan with Spiceworks are using Windows Firewall, you will need to configure the firewall to allow Windows Remote Administration.

If you are on a domain you should use Group Policy. Otherwise, those who are on a workgroup or don't want to use Group Policy can add the firewall rules manually from the command line.

Manage Windows Firewall via Group Policy

If you are new to Group Policy and need very detailed instructions, please click here. Group Policy is an extremely efficient way to manage your network, so we would encourage you use this how-to to learn to use it.

Group Policy is an effective, centralized way to set and enforce settings across all Windows devices on your network. With a single change on your Domain Controller, you can reconfigure the Windows Firewall settings for all of the devices you want to inventory with Spiceworks.
  • On your Domain Controller, open the Group Policy Management Console (GPMC). You can use gpmc.msc from a command prompt, or find it in Start > Administrative Tools.

  • Edit or create a new Group Policy Object (GPO) and apply it to the appropriate OU. The GPO should enforce these two settings:

  Windows Firewall: Allow remote administration exception
  Windows Firewall: Allow ICMP exceptions

The setting path in Group Policy is:
  Computer Configuration/Administrative Templates/Network/
  Network Connections/Windows Firewall/Domain Profile


Configuring Windows Firewall via command line

If you are in a Workgroup environment or choose not to use Group Policy, you'll need to either add firewall rules manually from the command line, or use the Spiceworks Unknowns Assistant.
To manually configure the firewall, use these two commands:
  c:\> netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
  c:\> netsh advfirewall firewall set rule group="remote administration" new enable=yes

Windows XP uses older versions of these commands. If you are using XP, use these two commands instead:
  c:\> netsh firewall set service remoteadmin enable
  c:\> netsh firewall set service remoteadmin enable subnet

Note to XP users: If all of your devices are located on the same subnet as the Spiceworks computer use the "enable subnet" option to limit admin access to the local subnet.

Alternatively, you can use a script created by a Spiceworks user to automate this. This script has proven to be safe and effective in the past, but it's good practice to check it yourself before running to make sure it's right for your environment. You can find it here.

"No rules match the specified criteria" error

Occasionally, some Windows 7 machines return an error on the second ("remote administration") command: "No rules match the specified criteria". The cause of the error seems to be that the remote administration group doesn't exist.
To workaround this error, you'll need to use the older "XP" style command to create the missing group for you:
  c:\> netsh firewall set service type=remoteadmin mode=enable

This returns a warning but does succeed (note the Ok at the end):
  IMPORTANT: Command executed successfully.
  However, "netsh firewall" is deprecated;
  use "netsh advfirewall firewall" instead.
  For more information on using "netsh advfirewall firewall" commands
  instead of "netsh firewall", see KB article 947709
  at http://go.microsoft.com/fwlink/?linkid=121488 .

You can now repeat the second command and it will succeed:
  c:\> netsh advfirewall firewall set rule group="remote administration" new enable=yes

  Updated 3 rule(s).


Spiceworks Host Computer

Anti-Virus Settings

The following exceptions need to be setup in the anti-virus program so that Spiceworks is free to run unrestricted.
  • Add the C:\Program Files\Spiceworks directory and all subdirectories to the anti-virus' exclusions list for real-time scanning, this should prevent the anti-virus software from slowing down or stopping Spiceworks from running. The following executable files may also need to be explicitly excluded:

  • C:\Program Files\Spiceworks\httpd\bin\spiceworks-httpd.exe
  • C:\Program Files\Spiceworks\bin\nmap.exe
  • C:\Program Files\Spiceworks\bin\spiceworks.exe
  • C:\Program Files\Spiceworks\bin\spicetray.exe
  • C:\Program Files\Spiceworks\bin\spiceworks-finder.exe
  • C:\Program Files\Spiceworks\pkg\gems\spiceworks_common-x.x.xxxxx\nbtscan\nbtscan.exe
Note: The x.x.xxxxx above is the Spiceworks version number which can be found at the bottom of any Spiceworks page.

Firewall Settings

The following ports and protocols will need to be opened so that Spiceworks can retrieve the backup information from your network devices:
  • UDP Port 69 Inbound - This allows Spiceworks to communicate with your networking hardware to backup/restore configurations via TFTP. 

No comments:

Post a Comment