How do you handle these situations during a vulnerability assessment?

[zuessh]

I am hoping to get feedback/advice/thoughts on handling the following situations during a vunerability assessment:

• Site consists of ~15 Windows PCs with no domain controller and uses local logins
• PC configs are not all the same (local firewall enabled, remote registry, etc) and there is no mechanism for standardizing the configs

So, aside from the obvious issues above, when performing a vulnerability assessement and need to authenticate to every machine, do you go to each machine and create a local account for each machine, and do you have to go to every machine and verify configs so the vulnerability tools can perform as needed?

Seems there has to be a better solution...

Thanks in advance.

[digininja]

What are the goal of the assessment? What are you looking to test? What adversary are you attempting to mimic?

[zuessh]

Just a simple vulnerability assessment/scan to determine software levels, vulnerable software installations, users, misconfigurations, etc using basic/standard scan policies from any vulnerability software (openvas, nexpose, nessus, etc).

In most cases I have come up against, the vulnerability scanning tools need credentials so it can authenticate to a machine to perform the necessary enumeration of users, user configurations, software installed, services, etc.

The challenge is not everyone has a domain structure where a domain user can be added that would have rights, or a tool (group policy) to make sure there are standard configs in an environment.

I was 'hoping' someone has already had this experience and perhaps has a better solution that what I have come up with so far - going to each machine and configuring it as necessary...

[digininja]

For that type of scan you will need an account on each machine. From your first post it sounded like you had a single instance of this to cover, in this case, ou could see if they have a common local administrator account that has the same password across all machines or for just 15 machines you could have a local user just come and type their passwords in and do 15 individual scans.

If you are talking about doing this regularly then if it is going to be repeated against the same client multiple times it may be worth adding a user to test as but if you do make sure it has a strong password and is disabled between tests. If these are all going to be one off's then it would all depend on what the company would let you do.

[Karit]

Just right the finding up that they need some consistancy and central. If they don't have that detecting an intrustion would be near on impossilbe.

Also if the agents need to run on the machine you don't need an account per se just need the agent install as a local service. If you are implementing a host based vulnerbility scanner they should run each day or once a week and the collated reports need to be actioned.

[digininja]

He was talking about scanning not HIDS, I don't now about Nexpose but OpenVAS and Nessus don't install anything, they take a set of user credentials and connect to the server to do the scan. Nothing is left behind.

[Karit]

He was talking about scanning not HIDS, I don't now about Nexpose but OpenVAS and Nessus don't install anything, they take a set of user credentials and connect to the server to do the scan. Nothing is left behind.

Scanners can ahve agents and they are different to HIDS.

Vulnerability scanners look for install apps, open ports, users enabled, etc and is on the schedule. While HIDS is more focused detecting instrusion onto a system. Scanner trying to catch thigns before instrustion and HIDS detecting an instrustion.

Also should really have a domain and you should be disabling network log to local accounts. This is a good write up on it. https://dfirblog.wordpress.com/2015/11/01/protecting-windows-networks-local-administrative-accounts-management/

[digininja]

There was specific mention of nessus, openvas and nexpose. I've not used the last but the first two definitely do not use agents.