It is first good to know how the Push Deploy Scan process works in order to understand how the prerequisites are used and how best to configure the network for the most successful scanning results.
During the Local Push Scan process the Push Deploy Tool will attempt to create a folder called NetworkDetectivePushDeploy-[Computername] in the Admin$ share of each machine, where [Computername] represents the remote machines hostname. Once the directory has been created it will copy over a self-extracting executable called NetworkDetectiveDatacollectorBins.exe. Next, It will launch the executable extracting all the data collector executables into that folder.
Once the data collectors have been extracted it will launch the data collector based on the scan(s) selected in the Push Deploy scan settings. When the scan completes it will save the file in the directory specified in the scan settings. Note: By default, if an output directory has not been specified, it will save the scans in the same directory you launched the Push Deploy Tool from.
Push Deploy Tool Prerequisites for scanning in a Domain Environment
- WMI - Is used to launch the data collectors on the remote machines. The following article provides step by step instructions on how to create a GPO that allows access to WMI through the local Windows Firewall on machines joined to the Domain - https://support.rapidfiretools.com/hc/en-us/articles/360007604538-Configure-GPO-to-Allow-WMI-access-to-all-workstations-in-a-Domain-Environment
- Admin$ (C:\Windows) - Is the folder location on the remote endpoints where the Push Deploy Tool will create it's working directory \NetworkDetectivePushDeploy-[Computername] where [Computername] is the hostname of the remote machine. In order for the Push Deploy Tool to create the working directory on the remote machines "File and Printer Sharing" must be enabled for domain users. Most Active Directory Domains have it enabled already but in cases where it is not this can be accomplished by creating a GPO to allow file and printer sharing. There are many online articles on how to create a GPO for this.
Note: The PDT working directory is a temporary folder. Once the local scan completes on the machine the directory is removed leaving no footprints.
- .net - Framework used by the data collectors. The local scan data collector cannot run if .net 3.5 or later is not enabled.
Push Deploy Tool Prerequisites for scanning a Workgroup Environment
- WMI - Unlike domain environments security policies are enforce locally on each individual machine, therefore in order to scan workgroup machines remote via the WMI protocol the following command must be run from an elevated command prompt on each machine in the Workgroup.
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
- Admin$ - In order to access the admin$ share on Workgroup machines File and Printer Sharing needs to be enabled. File and Printer sharing can be enabled by running the following command on each machine from an elevated command prompt.
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
- .net - Ensure .net 3.5 or later is enabled on each machine in the workgroup.
- Local Account Token Filter Policy - By default, remote administrative tasks can only be performed on Workgroup machines by the Built-in Administrator. In order to allow any Local Admin to perform remote administrative tasks the following command must be run from an elevated command prompt on each machine.
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
NOTE: The prerequisites noted above affect Windows settings ONLY. They do not take Antivirus into consideration therefore it may be a case where the following exceptions may need to be added to the AV solution employed by the client.
Whitelisting Push Deploy Tool executables in Antivirus programs.
Some Antivirus programs require the executable name, executable path or both in order to whitelist executables. Below is a list of the executables used by the Push Deploy Tool as well as the path that needs to be whitelisted on each machine prior to scan being performed.
Executables used by the Push Deploy Tool:
Path to executables
C:\Windows\NetworkDetectivePushDeployTool-[ComputerName] where [ComputerName] represents the remote machines hostname.
NOTE: Because the Push Deploy Tool creates a working directory based on the hostname of the remote computer a wildcard might need to be specified when whitelisting the path to the folder containing the executables.