Asking for Credentials from IT
If you are not part of the IT group, you may have to ask someone for the right credentials to perform patch and configuration audits with Nessus. This blog entry will offer some advice and strategies to consider when attempting to obtain access to the devices for auditing.
Who Doesn't Have Credentials?
If your organization has mandated security audits, they may have also mandated that credentials be provided to the group performing network scans. If your group is like this, then this blog entry isn't for you. However, you should realize that there are still many organizations where the "audit" group doesn't have full access to the devices they are scanning.
Benefits for IT from Credentialed Scanning
Credentialed audits can show a variety of "good" news about an IT group.
If systems are being patched on a regular basis, then a patch audit won't find many problems. This can show IT management an independent confirmation of how their network is being operated.
When missing patches are found, they are 100% accurate and actionable. This is not to say that a network scan isn't accurate (Tenable shoots for 100% accuracy), but Nessus network scans don't immediately tell you which patch to apply. A vulnerable version of Apache could have any number of potential fixes, but with credentials, the exact missing security patch(es) can be discovered. This is also more efficient to task an IT administrator with. Rather than saying "upgrade Apache" which is ambiguous, someone can say "apply patch #4637".
Credentialed scans can identify and list all of the UNIX and Windows software that has been installed. If you are viewing the data in the Security Center, then the results can be searched or even used to create dynamic asset lists of systems that have certain types of software installed. We've recently blogged about this concept.
And finally, if you are managing your Nessus scanners with the Security Center or subscribed to the Direct Feed, a configuration audit can be performed. If an IT group is managing all of their system configurations centrally, then these audits should independently show consistency and conformity to a global policy. Even if no strict corporate configuration polices are enforced, auditing systems against various government standards for passing and failing settings can also highlight where an IT organization has performed well.
Know What To Ask For
For Windows audits, asking for full domain administrator rights does give Nessus enough credentials to perform its audits, but this sort of request can be unfathomable to an IT group. Instead, Tenable recommends two strategies.
First, consider asking for access to the "backup" account. This account likely has access to read both files and system settings. Second, consider asking for a specific "audit" account be created with similar read-only access. A dedicated "audit" account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.
For UNIX, Nessus supports SSH passwords and public/private keys. For patch auditing, root access is recommended but not mandatory. Be aware the some more secure UNIXes (such as Trusted Solaris) may require root to obtain a package list.
For UNIX configuration auditing, keep in mind that appropriate access is required. For example, a file owned by root might only be "readable" by a root user or someone in the "wheel" group.
Sharing Data With IT
If you do have access to IT and perform scans, sharing the data, or even making sense of it, can be difficult.
Some organizations let IT perform their own scans, and this is great from a "self test" perspective, but self audits are not reliable and should be performed by a 3rd party not involved in the day-to-day operation of the network.
If an audit group performs ad-hoc scans on a set schedule of keys assets and shares the results with asset owners, the right data can be sent to the right people in a timely manner. There is overhead through tracking the need for performing re-scans, tracking which systems should be scanned and even which people in IT have the right to see or review the data.
Tenable offers the Security Center which can be used to centralize scanning, scan results, analyzing the data and tracking which systems need to be re-scanned. Only the specific users of certain IT assets can see the results for those assets. The Security Center can also offer IDS event viewing and log analysis to the same IT users.
If you can't get Credentials
If you are faced with performing network audits without access to system credentials, what are you facing? Several things:
There will be less information on specific client-side (such as Internet Explorer and Mozilla) vulnerabilities. Some clients (such as iTunes) do have network services that Nessus can discover and reliably identify.
The vulnerabilities found will be very accurate, but sometimes very generic. As in the Apache example discussed above, knowing a vulnerability and knowing a patch are two different things. Typically, Nessus network scans can tell you that an upgrade is required, but not the specific patches that are missing. One exception to this rule is while scanning Windows network services. Very often, Nessus will be able to determine the exact patch required, even without credentials.
If things haven't been locked down, don't be surprised if your Nessus scan reports some patch audits. If you have an Admin account on Windows that is not password protected, or similarly with a Guest account, Nessus may be able to use those credentials when performing a scan.
If the audit group does have access to part of the domain with (such as a regular user's username and password), this type of account may be enough to audit other Windows systems on the domain. It all depends on how locked down the network it.
Lastly, if credentials are not available, consider deploying the Passive Vulnerability Scanner alongside your Nessus scanners. This sniffer can find many client and server side vulnerabilities without any scanning at all. It also integrates seamlessly with the Security Center for centralizing active, passive and credentialed vulnerability and configuration data into one spot. If data obtained passively is contrary to what IT is claiming (i.e., they may claim that all web browsers are patched, but sniffing clearly shows older versions of Mozilla) this may also be enough evidence to convince management to allow auditing with full credentials.
For More Information
If performing credentialed audits with Nessus is a new concept for you, a good place to start is the Nessus Credentialed Checks for UNIX and Windows paper. To help understand the advantages and limitations of active scanning, credentialed scanning and passive network monitoring, please read the Blended Security Assessments paper.