Troubleshooting MBSA 2.0 and Windows Firewall

To scan a system remotely, MBSA 2.0 needs access to several ports and services. If you have deployed Windows XP Service Pack 2 (SP2) or Windows Server 2003 SP1 and enabled Windows Firewall, you might have difficulty using MBSA 2.0 to connect to remote network devices. MBSA online Help provides information about which ports you need to open to allow a scan to complete successfully. If MBSA 2.0 is unable to complete a particular scan, perhaps because of firewall configuration, it will attempt other scans, such as for weak passwords or poorly configured Microsoft IIS installations. One option to support MBSA 2.0 is to configure Windows Firewall centrally, using Group Policy to permit traffic through the ports and services identified in the MBSA Help file. When you configure the Windows Firewall, I recommend that you specify the host or subnet that MBSA 2.0 is run from, denying other systems with no business reason for doing so the ability to connect to clients.