Security Controls

Patch Scanning Prerequisites

The following criteria must be met to ensure a successful patch scan:

When scanning your local (console) machine

You must be an administrator on your local machine.

Credentials must be provided for the local machine. See Supplying Credentials for details.

The machine must be capable of obtaining the data definition file, either from a location on the Internet (via http or https) or from another specified location (either on the local machine or from a specified network location).

The local machine’s Workstation service must be started.

The Server service is not required to be started on the local machine.

When scanning a remote machine, you must meet all the requirements for the local scan above, plus the following:

You must have local administrative rights on the remote machine and be able to logon to this machine from the workstation performing the scan.

Credentials must be provided for the target machines. See Supplying Credentials for details.

The credentials you supply must have access to the control panel on the target machine. If control panel access is disabled through group policy, Security Controls will be unable to connect to the target machine.

File and Print Sharing must be enabled.

The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on the remote machine.

The remote machine must be running the Server service.

The Workstation service is not required to be started on the remote machine.

The remote machine must be running the Remote Registry service.

The remote registry service is disabled by default on Windows Vista machines. You must enable the remote registry service (either manually or via group policy) before performing remote scans of Windows Vista machines.

The %systemroot% share (usually C$ or similar) must be accessible on the remote machine.

For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:

Join the machines to a domain and then perform the scan using domain administrator credentials, or

If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:

1.Click Start, click Run, type regedit, and then press Enter.

2.Locate and then click the following registry subkey:


3.If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:

a. On the Edit menu, point to New, and then click DWORD Value.

b. Type LocalAccountTokenFilterPolicy and then press Enter.

4.Right-click LocalAccountTokenFilterPolicy and then click OK.

5.In the Value data box, type 1, and then click OK.

6.Exit Registry Editor.

For more details on disabling UAC remote restrictions, see

Special note regarding Simple File Sharing

When Simple File Sharing is enabled, remote administration and remote registry editing does not work as expected from a remote computer and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest.  Guest accounts do not have administrative privileges.

On Windows XP Professional or later operating systems, go to the following Microsoft Knowledge Base article to learn more about this feature and how to disable Simple File Sharing:;en-us;304040

If you are running Windows XP Home Edition, Simple File Sharing cannot be disabled (Microsoft states that it is as designed) so remote scanning will not work on this operating system.





Was this article useful?