• Enfield, Waltham Abbey
  • 0844 567 4250

Search

Search Results For Passionate About IT Knowledge Base

Prepare a Windows Network Domain for Sophos Endpoint Security & Control Center

Jul 3

Written by:
Tue, 03 Jul 2012 18:14:33 GMT  RssIcon

Sophos endpoint Security & Control

Deploy Sophos Antivirus and manage Endpoint Security Control from a central configuration on the Server. This saves IT Administrators a lot of time from going from client PC to run the installation manually.

However with additional security features introduced in Windows Vista and beyond - namely the UAC or User Access Control, and a more complete Firewall application - deploying Sophos to the Network isn't as straight forward as installing the Control Center and hitting 'Protect' to install the client antivirus onto your client PCs. Follow the guide below for instructions on preparing your Windows Network for easy deployment of Sophos Endpoint Security.

Windows 2003 Level Domain Policy

Create a new Group Policy Object

  1. Click Start | All Programs | Administrative Tools | Active Directory Users and Computers.
    Or
    Click Start | Run | Type: dsa.msc | Press return.
  2. Select the domain name from the left-hand tree.
  3. Right-click the domain name and select 'Properties'.
  4. Select the 'Group Policy' tab.
  5. Select 'New'.
  6. Enter a name for the new Group Policy object (GPO).  Example: GPO to deploy Sophos endpoint software.
  7. Select the new GPO and click 'Edit'.
  8. The Group Policy Object Editor window will open.

Disable User Account Control (UAC):

If you have Windows Vista or Windows 7 computers on your network but only have a Windows 2003 domain controller you cannot control UAC settings from the Windows 2003 domain controller.  You can either:

  • Disable UAC locally at each client computer.  For more information see: Turn User Account Control on or off.
  • On a Vista/Windows 7/2008 computer that is joined to the domain, create a GPO using its updated set of Group Policies. For more information on this ability see Deploying Group Policy Using Windows Vista. If using this option on a Windows 2003 domain follow the instructions for a Windows Server 2008 domain below:

Configure the required Windows services:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services.
  2. In the right-hand panel select the following items and define as suggested:
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Manual

Create deployment rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile.
  2. Right-click 'Windows Firewall: Allow remote administration exception' and select 'Properties'.
  3. On the 'Settings' tab select 'Enable' and click OK.
  4. Right-click 'Windows Firewall: Allow file and printer sharing exception' and select 'Properties'.
  5. On the 'Settings' tab select 'Enable' and click OK.

Create inbound and outbound Sophos Remote Management System (RMS) rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile.
  2. Right-click 'Windows Firewall: Define port exceptions' and select 'Properties'.
  3. On the 'Settings' tab select 'Enable'.
  4. Select the 'Show' button.
  5. In the 'Show Contents' window select 'Add'.
  6. Add the item: 8194:TCP:*:enabled:Sophos8194 and click OK to confirm all changes1.
  7. Right-click 'Windows Firewall: Allow file and printer sharing exception' and select 'Properties'.
  8. On the 'Settings' tab select 'Enable'.
  9. In the field beneath 'Allow unsolicited incoming messages from:' enter:  *
    Note: If you wish to define a narrower range of IP addresses see the 'Syntax' explanation section shown on screen.
  10. Click OK to confirm and save all changes.

1Endpoint computers are only contacted on TCP port 8194. On your Sophos management server (and any message relay servers) you need to allow the additional TCP port 8192.

Note: Once deployment is complete we recommend you return some settings to their default configuration. For further details see the Post Deployment Recommendations section at the bottom of this article.


Windows 2008 (and above) Level Domain Policy

Create a new Group Policy Object:

  1. Open the Group Policy Management window and edit the appropriate Domain Group Policy
    Click Start | All Programs | Administrative Tools | Group Policy Management
    Or
    Click Start | Run | Type: gpmc.msc | Press return.
  2. Create a new Group Policy object.  For more information see: Create or delete a Group Policy object.

Disable User Account Control (UAC):

  1. User Account Control (UAC) only needs to be disabled during deployment and will require a restart to take effect. After deployment, UAC should be re-enabled.
  2. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options.
  3. In the right-hand panel select the following item and define as suggested:
    • User Account Control: Detect application installations and prompt for elevation | Disable.

Configure the required Windows services:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services.
  2. In the right-hand panel select the following items and define as suggested:
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Manual

Create deployment rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules.
  2. Right-click 'Inbound Rules' and select 'New Rule...'
  3. Select 'Predefined:' and from the dropdown list 'File and Printer Sharing' and click Next.
  4. Ensure the box for the 'Network Discovery (LLMNR-UDP-In)' is checked and click Next.
  5. Select 'Allow the connection' and click Finish.
  6. Right-click 'Inbound Rules' and select 'New Rule...'.
  7. Select 'Predefined:' and from the dropdown list 'Remote Service Management' and click Next.
  8. Ensure the box for the ‘Remote Service Management (NP-In)’ is checked and click Next.
  9. Select 'Allow the connection' and click Finish.

Create inbound Sophos Remote Management System (RMS) rule for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rule.
  2. Right-click 'Inbound Rule' and select 'New Rule...'
  3. Select 'Port' and click Next
  4. Select 'TCP', select 'Specified local ports:' and enter: 8194 then click Next1.
  5. Select 'Allow the connection' and click Next.
  6. Check only the 'Domain' option and click Next.
  7. Name the rule 'Sophos RMS Rule'.  Optionally enter a useful description and click Finish.

Create an outbound Sophos Remote Management System (RMS) rule for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Outbound Rule.
  2. Right-click 'Outbound Rule' and select 'New Rule...'.
  3. Select 'Port' and click Next.
  4. Select 'TCP', select 'Specified local ports:' and enter: 8194 then click Next1.
  5. Select 'Allow the connection' and click Next.
  6. Check only the 'Domain' option and click Next.
  7. Name the rule 'Sophos RMS Rule'.  Optionally enter a useful description and click Finish.
1Endpoint computers are only contacted on TCP port 8194. On your Sophos management server (and any message relay servers) you need to allow the additional TCP port 8192.

Note: Once deployment is complete we recommend you return some settings to their default configuration. For further details see the Post Deployment Recommendations section below.


Post Deployment Recommendations

Once deployment is complete it is recommended that the following be returned to their original settings:
  • Vista and above: Under services stop the Remote Registry service and set to disabled startup.
  • Vista and above: User Access Control should be set to Default.

Advanced Firewall Port Reference

Windows Firewall Name Direction Protocol Port Program
File and Printer Sharing Inbound TCP 445 -
Remote Service Management (NP-In) Inbound TCP 445 -
Allow remote administration exception Inbound TCP RPC Ports Svchost.exe
Remote Scheduled Tasks Management (RPC) Inbound TCP RPC Ports Svchost.exe

Please Read:

If this Free tutorial was able to help - show us some support and help keep this knowledge base free by liking us on facebook, +1 us on Google Plus, install our amazing toolbar for instant access to our RSS feeds, follow us on twitter for all the latest trends in I.T and finally join our fantastic community forum where you can find help on all things I.T - from building your own PC to fix-it-yourself solutions from the Pros!


**Revenue from Pay-Per-Click Advertising is used to support this forum, any excess is donated to Doctors Without Borders**

Copyright © Passionate About I.T 2012

1 comments so far...


Gravatar

Thanks! This helped resolve the issues when deploying Sophos to Win 7 PCs!

By Andrew Parfitt on   Mon, 16 Jul 2012 10:31:25 GMT

Your name:
Gravatar Preview
Your email:
(Optional) Email used only to show Gravatar.
Comment:
Security Code
CAPTCHA image
Enter the code shown above in the box below
Add Comment   Cancel 

Contact Us

Have an I.T Problem? Get in touch for an informal chat and find out how we can help

Click here

Blog Calendar

Archive
<April 2020>
MonTueWedThuFriSatSun
303112345
6789101112
13141516171819
20212223242526
27282930123
45678910
Monthly
Go
By continuing to use this site you agree to the use of cookies. To view our policy on cookies click here