Support Center

Configuring GPO to allow MBSA in a Domain Environment

Last Updated: Feb 08, 2017 11:37AM EST
1. Open up Group Policy Management on your Domain Controller.

2. Edit the group policy object you wish to put these settings into or create a new one.

3. Right Click the new or exisiting GPO, click Edit, and Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.

4. Right-click the working area and choose New Rule...

5. Select “Port” as your rule type and click Next.

6. Select TCP as your port protocol and enter the following specific ports: 135, 137, 139, 445, 1024-65535. Click Next

7. Select “Allow the connection” as your action and click next.

8. Select All Profiles.

9. Name your rule. (ie MBSA Allow TCP) and add a description (optional). Click Finish. You should now see your new rule listed in the working window.

10. Right click the new rule, select Properties and go to the scope tab. Under the Remote IP address section select "These IP addresses" radio button and click the Add button. Enter the IP address of the machine you will be running the data collector from. The purpose of this step is to ensure that the firewall only allows access to all those ports from a specfic IP and not the entire network.

11. Now you must configure another rule to allow the UDP ports for MBSA so right-click the working area again and choose New Rule...

12. Select “Port” as your rule type and click Next.

13. Select UDP as your port protocol and enter the following specific ports: 137, 138. Click Next

14. Select “Allow the Connection” as your action and click next.

15. Check all the profiles and click next.

16. Name your rule (ie MBSA Allow UDP) and give a brief description (optional). Click Finish. You should now see your new rule listed in the working area.

17. Right click the new rule, select Properties and go to the scope tab. Under the Remote IP address section select "These IP addresses" radio button and click the Add button. Enter the IP address of the machine you will be running the data collector from. The purpose of this step is to ensure that the firewall only allows access to all those ports from a specfic IP and not the entire network.

NOTE: If you opted to create a new GPO instead of editing an existing GPO you must link it to an OU. Also note that this GPO only affects computer objects in AD so it must be linked to an OU with Computers. Finally, GPOs can take a minimum of 90 minutes to be applied automatically to machines in a domain environment therefore if you would like the a GPO to take affect immediately you must either reboot the machines or log into the machines as an Administrator and run >  gpupdate /force from the command line.
 
1100bac2516b407d0521ef278b6db700@rapidfiretools.desk-mail.com
http://assets0.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete