I'm curious as to why the service is used to scan the machine remotely. With this method the client machines
need to have an admin exception in the firewall with the lansweeper server ip. Why not let the executable that
runs in the logon script do the scanning and the post the results to the server?
Although, making the exception in client's firewall isn't hard, it reduces security. Currently our XP clients are
configured with no admin exceptions. I like this because if you try to ping the client you will get destination host
unreachable, because it denies ICMP requests by default. However, once an admin exception is made, an "allow incoming echo request"
exception is also made and it can't be removed. This is the default behavior of XP's firewall.
I know that for in order Vista to work as I'm suggesting you would have to open outgoing port(s) since the firewall
protects against both incoming and outgoing communication. However, this to me anyway, is still more secure than
the current method.
I'm sure there is probably a very logical reason why this route was chosen over what I'm suggesting, but if not
maybe its something to consider.
Note (10/20/2008): Well after doing some research, it turns there are several free utilities that can determine
whether a remote machine is online even if the firewall is enabled (Google "
ping xp with firewall on" here's a utility I found http://www.foundstone.com/us/resources/proddesc/superscan.htm)
and blocking ping requests. So, from a security perspective the fact that the firewall blocks incoming echo requests isn't that much of a deterrent.
Sorry for thinking aloud.