Host Requirements for Windows Vista, 2008, 2012, 2016, 2019

These host requirements apply to non-domain (local) authenticated scanning only.

Windows Firewall Settings

For each target host, there are certain Windows Firewall settings that must be enabled. First activate firewall rules that are relevant to non-domain profiles in order to allow traffic for File and Print Sharing and Remote Administration. Then for each activated rule, add the scanner appliance IP address so that the scanner appliance traffic can reach the host.

Step 1: Allow "File and Print Sharing" traffic

Activate firewall rules that are relevant to non-domain profiles in order to allow traffic for File and Print Sharing.

1) Go to the Control Panel Home window.

2) Do one of the following:

- For Vista and 2008: Go to Security and click the link "Allow a program through Windows Firewall".

- For 2012, 2016, 2019: Go to System and Security > Windows Firewall and click the link "Allow an app of feature through Windows Firewall".

3) Select the "File and Print Sharing" check box.

4) Click OK.

Step 2: Allow scanner appliance traffic

By default, in a non-domain profile, a Windows system (Vista, 2008, 2012, 2016, 2019) does not allow traffic from outside its own local subnet even when a firewall rule has been activated. For this reason, you must also provide the IP address or subnet of the scanner appliance.

1) Go to Start > Control Panel.

2) Do one of the following:

- For Vista, 2008, 2016: Go to System and Maintenance > Administrative Tools > Windows Firewall with Advanced Security.

- For 2012: Go to System and Maintenance > Administrative Tools > Windows Firewall > Advanced Settings.

- For 2019: Go to System and Security > Administrative Tools > Windows Defender Firewall with Advanced Security.

3) Click Inbound Rules.

4) For each entry in the "File and Printer Sharing" group with a green check mark (Vista, 2008 and 2012) and each entry in the "Remote Administration" group with a green check mark (Vista and 2008) follow these steps: a) Right-click on the entry and select Properties, b) Select the Scope tab, and c) Select "Any IP address" or click the Add button to add the IP address (or subnet) for the scanner appliance that has been configured to scan the target host.

5) Click OK.


Enable File Sharing

File sharing must be turned on for each target host. Go to the Control Panel Home window and follow these steps.

For Vista and 2008:

1) Under Network and Internet, click the link "Set up file sharing".

2) In the Network and Sharing Center window, make sure these settings are correct: File sharing is On and Public folder sharing is Off.

For 2012, 2016, 2019:

1) Under Network and Sharing Center, click the link "Change advanced sharing settings".

2) Change sharing options for the current network profile.

- For a non-domain target, select "Guest or Public".

- For a domain target, select "Private".

3) Make sure these settings are correct: turn on network discovery and turn on file and printer sharing.

4) For All Networks, turn off Public Folder Sharing and turn on Password Protected Sharing.


Enable Remote Registry Service

Our service must access the system registry to perform Windows trusted scanning. To allow this access, the Remote Registry service must be started.

1) Go to Control Panel > Control Panel Home.

2) Choose "System and Maintenance" (for Vista, 2008, 2012, 2016) or "System and Security" (for 2019).

3) Go to Administrative Tools > Services.

4) Start the Remote Registry Service. You could set this to Automatic to make sure it starts automatically at reboot.


Configure User Access Control (UAC)

Do I need to configure UAC? Yes. There are 2 methods you can use: 1) change Remote UAC settings, or 2) disable UAC policy.


Method 1: Change Remote UAC settings

1) Launch Registry Editor (regedit.exe) in "Run as administrator" mode and grant Admin Approval, if requested

2) Navigate to HKEY_LOCAL_MACHINE hive

3) Open SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key

4) Create a new DWORD (32-bit) value with these properties:

Name: LocalAccountTokenFilterPolicy
Value: 1

5) Close Registry Editor

Warning: The value data types of DWORD (32-bit) and QWORD (64-bit) are located next to each other in the data type selection menu on 64-bit Windows versions. It may be easy to mistake one for another and select the incorrect data type. The required value data type must be DWORD (32-bit). Selecting QWORD (64-bit) and setting it to 1 will not enable Remove UAC.

The requirement to reboot the system or restart the Server service is questionable. Despite what some documents recommend, our tests have shown that disabling Remote UAC in the registry takes effect immediately and remote access to ADMIN$ is granted during the scan.


Method 2: Disable UAC policy

Go to the Control Panel Home window and follow these steps.

For Vista, 2008, 2016:

1) Click "Add or remove user accounts".

2) Select a user account.

3) Under the account, click the link "Go to the main User Accounts Page".

4) On the page "Make changes to your user account", click "Change security settings".

5) On the page "Turn on User Account Control (UAC) to make your computer more secure", de-select (clear) the check box "Use User Account Control (UAC) to help protect your computer" and click OK.

6) Reboot your computer.

For 2012, 2019:

1) Click User Accounts.

2) Change User Account Control settings.

3) Set the tab to "Notify me only when apps try to make changes to my computer (do not dim my desktop)".

4) Reboot your computer.