Antivirus and Security Software from Sophos

Psst, Mac user! We have a free Mac anti-virus just for you.

Online support

Product maintenance

Contact support

Support services

Resource centers

UK IT Security Events

Get the low-down on our cup winning security solutions to provide you with a defence dream team

How to prepare computers so that you can protect and manage them from the console using Active Directory

To protect and manage computers from the Sophos console, via the Protect computers wizard, you have to re-configure certain default security settings on the endpoint computers. This article explains how you can make these changes centrally via a Group Policy Object (GPO) using Active Directory. You will then be able to:

  • Install endpoint software onto computers using the console.
  • Managed the installation after it has completed.
  • Ensure the installation successfully updates from the software distribution point.

Note: The instructions in this article supersede all other instructions contained in Sophos documentation.

Known to apply to the following Sophos product(s) and version(s)
Enterprise Console 4.0.0
Enterprise Console 4.5.0
Enterprise Console 4.5.1
Enterprise Console 4.7.0
Enterprise Console 4.7.1
Sophos Enterprise Manager 4.7.0
Sophos Control Center 4.0.1
Sophos Control Center 4.1

Assumptions

  • The requirements mentioned in this article have been tested with an ‘Out of the box’ Windows installation. Specific environmental security changes are not covered.
  • The user performing the deployment has the required domain administrator or equivalent level credentials over the endpoint computers.
  • Endpoints are able to resolve the name of the Sophos distribution server (hosting protection updates) either by NetBIOS/WINS or DNS and vice-versa.
  • The network environment is compatible with a Windows Domain (SMB equivalent with UNC accessibility). If you do not have a domain environment, or you have Enterprise Console v5.1 installed, check the table below for the correct article to use.
Console version Domain environment Workgroup environment
Enterprise Console v5.1 only See article 116754 See article 116755
Enterprise Console v5.0 and v4.x
Enterprise Manager v4.7
Control Center v4.x 		See this article. See article 29728

What to do

When planning your deployment, and before re-configuring your network, you should ensure that all computers you want to install Sophos endpoint software onto meet at least the minimum system requirements. For more information see article 113278.

If you would like to know how the mechanism of deployment from the console works see article 116880.


Overview of required settings

The table below gives an overview of all the settings required to protect and manage an endpoint computer. If you are familiar with creating and configuring Group Policy Objects (GPOs) you can use the table below to quickly configure your network. If you require detailed instructions see Creating a Group Policy Object.

Requirement 2003 domains 2008 domains
Windows Firewall Rules
(XP and above)		 Allow file and printer sharing exception File and Printer Sharing (All Rules)
Ports TCP 8192 and TCP 8194 (Inbound and outbound)
Services Remote Registry (Started)
Task Scheduler (Started)
Windows Installer (Stopped but not Disabled)
UAC1 Disabled

1Cannot be set on a Windows 2003 domain level server.


Creating a Group Policy Object

To help guide you through the process of creating a GPO we have separated the instructions into two sections depending on the operating system of your domain controller. For Windows Server 2003 domain controller instructions click here. For Windows 2008 (and above) instructions click here.


Windows 2003 Level Domain Policy

Open Active Directory Users and Computer

  1. Start | All Programs | Administrative Tools | Active Directory Users and Computer
    Or
  2. Start | Run | Type: dsa.msc | Press return.
  3. Select the domain name from the left-hand tree
  4. Right-click the domain name and select 'Properties'
  5. Select the 'Group Policy' tab
  6. Select 'New'
  7. Enter a name for the new Group Policy object (GPO).  Example: GPO to deploy Sophos endpoint software
  8. Select the new GPO and click 'Edit'
  9. The Group Policy Object Editor window will open

Disable User Account Control (UAC):

If you have Windows Vista or Windows 7 clients on your network but only have a Windows 2003 domain controller you cannot control UAC settings from the Windows 2003 domain controller.  You can either:

  • Disable UAC locally at each client computer.  For more information please see: Turn User Account Control on or off.
  • On a Vista/Windows 7/2008 computer that is joined to the domain, create a GPO using its updated set of Group Policies. For more information on this ability please see Deploying Group Policy Using Windows Vista. If using this option on a Windows 2003 domain please follow the instructions for Windows Server 2008 domain above..

Configure the required Windows services:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services
  2. In the right-hand panel select the following item and define as suggested:
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Manual

Create deployment rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile
  2. Right-click 'Windows Firewall: Allow remote administration exception' and select 'Properties'
  3. On the 'Settings' tab select 'Enable' and click OK
  4. Right-click 'Windows Firewall: Allow file and printer sharing exception' and select 'Properties'
  5. On the 'Settings' tab select 'Enable' and click OK

Create an inbound and outbound Sophos Remote Management System (RMS) rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile
  2. Right-click 'Windows Firewall: Define port exceptions' and select 'Properties'
  3. On the 'Settings' tab select 'Enable'
  4. Select the 'Show' button
  5. In the 'Show Contents' window select 'Add'
  6. Add the item: 8192:TCP:*:enabled:Sophos8192 and click OK
  7. Add the item: 8194:TCP:*:enabled:Sophos8194 and click OK to confirm all changes
  8. Right-click 'Windows Firewall: Allow file and printer sharing exception' and select 'Properties'
  9. On the 'Settings' tab select 'Enable'
  10. In the field beneath 'Allow unsolicited incoming messages from:' enter:  *
    NOTE: If you wish to define a narrower range of IP addresses please see the 'Syntax' explanation section shown on screen.
  11. Click OK to confirm and save all changes

Windows 2008 (and above) Level Domain Policy

Open and Edit the Group Policy:

  1. Open the Group Policy Management window and edit the appropriate Domain Group Policy
    Start | All Programs | Administrative Tools | Group Policy Management
    Or
    Start | Run | Type: gpmc.msc | Press return.
  2. Create a new Group Policy object.  For more information please see: Create or delete a Group Policy object.

Disable User Account Control (UAC):

  1. User Account Control (UAC) only needs to be disabled during deployment; this will require a restart to take effect. After deployment, UAC should be re-enabled.
  2. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options
  3. In the right-hand panel select the following item named and define as suggested:
  4. User Account Control: Detect application installations and prompt for elevation | Disable

Configure the required Windows services:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | System Services
  2. In the right-hand panel select the following item and define as suggested:
    • Remote Registry | Automatic
    • Task Scheduler | Automatic
    • Windows Installer | Manual

Create deployment rules for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rules
  2. Right-click 'Inbound Rules' and select 'New Rule...'
  3. Select 'Predefined:' and from the dropdown list 'File and Printer Sharing' and click Next
  4. Ensure the box for the 'Network Discovery (LLMNR-UDP-In)' is checked and click Next
  5. Select 'Allow the connection' and click Finish
  6. Right-click 'Inbound Rules' and select 'New Rule...'
  7. Select 'Predefined:' and from the dropdown list 'Remote Service Management' and click Next
  8. Ensure the box for the ‘Remote Service Management (NP-In)’ is checked and click Next
  9. Select 'Allow the connection' and click Finish

Create an inbound Sophos Remote Management System (RMS) rule for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Inbound Rule
  2. Right-click 'Inbound Rule' and select 'New Rule...'
  3. Select 'Port' and click Next
  4. Select 'TCP', select 'Specified local ports:' and enter: 8192, 8194 then click Next
  5. Select 'Allow the connection' and click Next
  6. Check only the 'Domain' option and click Next
  7. Name the rule 'Sophos RMS Rule'.  Optionally enter a useful description and click Finish.

Create an outbound Sophos Remote Management System (RMS) rule for the Windows Firewall:

  1. From the left-hand panel navigate to Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security | Windows Firewall with Advanced Security | Outbound Rule
  2. Right-click 'Outbound Rule' and select 'New Rule...'
  3. Select 'Port' and click Next
  4. Select 'TCP', select 'Specified local ports:' and enter: 8192, 8194 then click Next
  5. Select 'Allow the connection' and click Next
  6. Check only the 'Domain' option and click Next
  7. Name the rule 'Sophos RMS Rule'.  Optionally enter a useful description and click Finish.

NOTE: Incoming TCP 8192 is only a requirement of the server with the Sophos Management Service. For increased security 8192 can be defined in a group policy object that only applies to your Sophos management server. For more information on firewall ports used by the Sophos Remote Management System see article 110297.


Post Deployment Recommendations

Once deployment is complete it is recommended that the following be returned to their original settings:
  • Vista and above: Under services stop the Remote Registry service and set to disabled startup.
  • Vista and above: User Access Control should be set to Default.

Advanced Firewall Port Reference

Windows Firewall Name Direction Protocol Port Program
File and Printer Sharing Inbound TCP 445 -
Remote Service Management (NP-In) Inbound TCP 445 -
Allow remote administration exception Inbound TCP RPC Ports Svchost.exe
Remote Scheduled Tasks Management (RPC) Inbound TCP RPC Ports Svchost.exe

If you need more information or guidance, then please contact technical support.