DESCRIPTION
This article contains recommendations on system and network settings configuration. The recommendations are to help avoiding common errors or problems and are necessary for certain functionality to be supported.
IMPORTANT NOTICE FOR WINDOWS VISTA, 7, 8, 8.1, SERVER 2008 AND 2012 USERS
Due to changes Microsoft made to the default operating system settings, mainly starting with Windows Vista, that limit remote administrative RPC access to the operating system and registry, it is necessary to make the following configuration changes to allow DeviceLock’s Plug and Play Report device registry scan and other DeviceLock remote administration and DeviceLock Enterprise Server collection tools to function.
These tools are important for building USB device white lists, running diagnostic reports that DeviceLock technical support might need to help troubleshoot configuration issues, and for remote collection of DeviceLock audit and shadow data activity for reporting and analysis.
Remote access would still only be allowed for accounts that have administrative credentials locally for that computer. Typically, these would only be Domain Administrators or members of groups specifically set up to have local administrative access.
SERVICES
The following services must be running on computers controlled by DeviceLock Service for communication via DeviceLock consoles:
• Server Service
The startup type of the service must be set to Automatic;
• Remote Registry Service
The startup type of the service must be set to Automatic;
To enable the Remote Registry Service across a group of machines you can use group policy
- Launch the Group Policy Management Console from Start Menu - Administrative Tools
or
Click Start - Run
or
Use menu search box, type gpmc.msc, and enter;
- Open the policy you want to edit;
- Navigate to Computer Configuration - Policies - Windows Settings - Security Settings - System Services;
- In the right hand pane double-click Remote Registry;
- Click Define this Policy Setting and choose Automatic;
- Click OK.
For testing on a limited number of systems or to enable on non-domain systems, log in as an Administrator and ensure the Remote Registry Service is running on the endpoint you are trying to scan. If it isn’t already running, enable it
- Click Start - Run or use menu search box, type services.msc, and then enter;
- Right-Click on Remote Registry and choose Properties;
- Set it to Automatic and click OK
- Start the service by right-clicking on it and choosing Start.
• Remote Procedure Call (RPC) Service
The startup type of the service must be set to Automatic.
• Base Filtering Engine Service
Specifically for Windows 8 and 8.1 clients, the startup type of the service must be set to Automatic.
ENABLE REMOTE ACCESS TO THE PLUG AND PLAY (PNP) INTERFACE
In order to use the Report PnP Devices plug-in in DeviceLock Enterprise Manager for Windows Vista+/Server 2008+ clients, you should allow remote access to the Plug-and-Play (PnP) interface on those computers.
By default, remote administrative access to the Plug and Play interface is disabled by the local policy on the endpoint. To change this, follow these steps:
To enable the Remote Access to PnP Interface across a group of machines you can use group policy
• Launch the Group Policy Management Console from Start Menu - Administrative Tools
or
Click Start - Run
or
Use menu search box, type gpmc.msc, and
• Open the policy you want to edit;
• Navigate to Computer Configuration - Administrative Templates - System - Device Installation;
• In the right pane, double-click Allow remote access to the PnP interface, and then click Settings.
• Click Enabled, and then click OK.
For testing on a limited number of systems or to enable on non-domain systems, log in as an Administrator and ensure the Remote Access to PNP Interface is enabled on the endpoint you are trying to scan. If it isn’t already enabled,
• Click Start - Run
or
Use menu search box, type gpedit.msc and then click OK
• Locate and then click the Local Computer Policy\Computer Configuration\Administrative Template\System\Device Installation node in the Group Policy dialog box:
• In the right pane, double-click Allow remote access to the PnP interface, and then click Settings;
• Click Enabled, and then click OK.
See Also
http://www.support.microsoft.com/kb/947040
DISABLE SIMPLE FILE SHARING ON CLIENTS
On Windows XP Home Edition operating systems, this setting cannot be disabled thus making client machine inaccessible for remote connection/configuration.
ENABLE FILE AND PRINTER SHARING
On computers controlled by DeviceLock Service.
TCP/UDP PORTS
Keep the following TCP/UDP ports opened for appropriate DeviceLock components
• 9132 on DeviceLock Service clients;
• 9133, 9134 (if DeviceLock Content Security Server is installed) on DeviceLock Enterprise Server;
• 9133, 9134 on DeviceLock Content Security Server host.
The following ports should be opened on DeviceLock Service, DeviceLock Enterprise Server, and DeviceLock Content Security Server computers
• 135 (TCP) - for Remote Procedure Call (RPC) Service;
• 137 (UDP) - for NetBIOS Name Service;
• 138 (UDP) - for NetBIOS Netlogon and Browsing;
• 139 (TCP) - for NetBIOS session (NET USE).
LOCAL ADMINISTRATIVE PRIVILEGES
To install and use DeviceLock, you must have administrative privileges. If you are going to use DeviceLock only on a local computer, you must have local administrative privileges. If you are going to use DeviceLock throughout your network and in Group Policy, you would need to preferably have domain administrator privileges, at least OU administrator privileges for the OU containers with computer accounts, and/or local administrative credentials in some way.
Accounts used for administrating DeviceLock Service agents, for running DeviceLock Enterprise Server and DeviceLock Content Security Server services must have local administrative privileges on all DeviceLock Service controlled clients.
Note
On computers running Windows Vista/7/8/8.1/10 user accounts that are members of the local Administrators group will run most applications by using the principle of "least privilege" due to the predefined system restrictions, and thus cannot perform administrative tasks.
More information on this and how to disable this restriction can be found in the following Microsoft article:
https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows
DEVICELOCK CERTIFICATES
It is highly recommended to use DeviceLock Certificates when and where possible to assist with remote authentication.
Example
DeviceLock Service agent to DeviceLock Enterprise Server authentication for audit and shadow data collection.
ADDITIONAL SETTINGS TO ALLOW COMMUNICATION WITH DEVICELOCK ENTERPRISE SERVER
Run Administrative Tools - Local Security Policy - Local Policies - Security Options - Network security
• Allow Local System to use computer identity for NTLM = Disabled;
• Allow LocalSystem NULL session fallback = Enabled.