SEPM: Remote SEP deployment within a common WORKGROUP

Security 3 Minutes

Enable Computer Browser service
SEPM has to discover the computers within the WORKGROUP before it can deploy SEP remotely to the computers. You have to turn on Computer Browser service, by default this service is disabled. You only require this service when SEPM needs to discover and enumerate computers that are destined to manage; once the SEP is deployed to the computer you should stop computer browser service henceforth.

Either run services.msc or from Start menu choose Administrative Tools –> Services.
Win2K8R2 SEPM lab-2013-05-15-00-14-43

Prepare for SEP deployment
From Symantec it mentioned that deployment requires UDP 137 and 138 and TCP 139 and 445 on both SEPM and remote computer. UDP137 and 138 are for network discovery, TCP 139 and 445 are for pushing symantec client after login.

SEPM will use netbios to try to resolve your computer name as well as use ICMP echo request to try to find the computer. Depend on remote computer’s network profile (Home/Work, Private, Public) turn on network discovery on the applicable network profile.

For my case my remote computer's network interface connected to public network, hence I turn on network discovery under public profile.
For my case my remote computer’s network interface connected to public network, hence I turn on network discovery under public profile.

Typically Windows 7 computer enable Windows firewall by default, network discovery rules are also turn on by default, enable File and printer sharing (ICMPv4-In) this rule allows the remote computer to receive echo request; if you want to discover the remote computer through IP address you need to enable File and printer sharing (ICMPv4-In) rule in your Windows firewall.
Win7 SEP Client1-2013-05-15-01-22-22

On the remote computer turn on network discovery under the profile that is applicable to you. For my case I turn on network discovery under public profile.

On the remote computer you need to enable two more rules File and printer sharing (NB-Session-In) and File and printer sharing (SMB-In).
Win7 SEP Client1-2013-05-15-01-32-55

On the remote computer you also need to enable Administrator account, Administrator account is inactive in Windows 7. To activate Administrator account run cmd as administrator:

net user administrator /active yes

You will have to give administrator account a password, by default there is no password for Administrator account.

Add a client
On the SEPM, create a group or use the default group, select the group and add a client.
Win2K8R2 SEPM lab-2013-05-15-01-26-45

Select remote push and click next
Select remote push and click next
Search the computer name or you can search the computer using IP address.
Search the computer name or you can search the computer using IP address.

To search the computer name network discovery has to be turned on on the remote computer, also on the Windows firewall you need to enable rules for network discovery (which are enabled by default). To search using IP address you must enable File and printer sharing (ICMPv4-In) rule.

Select the discovered computer and click >>
Select the discovered computer and click >>
This is where you need your Administrator account. Windows 7 will refuse your login attempt if you use user account with administrator rights. Only Administrator can be used.
This is where you need your Administrator account. Windows 7 will refuse your login attempt if you use user account with administrator rights. Only Administrator can be used.
Result after login attempt was successful
Result after login attempt was successful
Click Send
Click Send
Wait for the deployment to finish
Wait for the deployment to finish
Deployment is successful
Deployment is successful
Click finish
Click finish
After client was installed, your managed SEP may not be shown immediately, perhaps wait for 5 minutes then click refresh. Or wait until your managed SEP appears.
After client was installed, your managed SEP may not be shown immediately, perhaps wait for 5 minutes then click refresh. Or wait until your managed SEP appears.

Aftermath
On the remote computer windows firewall disable the file and printer sharing (SMB-In) and file, printer sharing (NB-Session-In) rules and file and printer sharing (ICMPv4-In) rules. Turn off network discovery, run cmd as administrator and deactivate Administrator user account.

net user administrator /active no

Administrator account still appears, however you will never be able to login with the correct Administrator password.

To make Administrator user account never appear on your Winlogon screen type:

net user administrator /active:no
Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s