Scanning Windows 7 With Nessus 4.2

by Paul Asadoorian
November 12, 2009

Windows 7 - a "Shiny" New Operating System

Most experts agree that producing Windows Vista was not a shining moment for Microsoft. It was plagued with problems from the start, including performance and stability issues. Many organizations flat out refused to upgrade from Windows XP to Vista, deeming it not worth the investment of resources and overall cost of the upgrade. Windows 7 is now here to replace Vista and XP, and the reviews have been positive from the beginning. In my own environment, I stayed away from Vista and jumped right into Windows 7. I believe that as Windows XP comes to its end of life, Windows 7 will step right in to replace it, despite the upgrade costs. Most people will likely skip the Windows Vista upgrade and gravitate towards the "shiny" new Windows 7 operating system.

Windows7-Shiny.png
An example of the "shiny" new OS, Windows 7 makes several improvements to the end user interface.

From a security perspective, we still face many of the same challenges we always did. The built-in firewall was overhauled, but is still best supplemented by third-party tools. In addition, malware is reported to run great on Windows 7 despite controls such as UAC, so there is no need for malware authors to have to port their code.

This leaves us with some new challenges to face as we have a new desktop operating system that is likely to see widespread adoption, most malware will run on it and it is largely untested in production against users and attackers alike. Nessus can help you ensure that Windows 7 is as secured as it can be by scanning it across the network, using credentialed scans to perform local patch checks and performing credentialed configuration audits to verify that it is configured securely. For our test, we used the upcoming Nessus 4.2, although this will also work with the current version of Nessus. Let's look at each of these three activities separately and see how they perform against Windows 7:

Network Scan

A network scan with the Windows firewall enabled does not detect any vulnerabilities, or reveal any results for that matter, as all communication is blocked by the firewall. When the firewall is disabled, Nessus reveals some information, but nothing in the way of vulnerabilities (even though the target is purposely missing patches).

Windows7NetworkScanResults-sm.png
Click here for the full size version of the above screen capture.

However, the network scan does reveal useful information that helps identify Windows 7 on the network. For example, the OS identification is 100% accurate:

Windows7OSidentification.png

In addition, port 137/UDP reveals information about the operating system, such as the computer name, Domain or Workgroup and MAC address:

Win7137udp.png

While Nessus without credentials does provide some useful information that can be used to identify "unfirewalled" Windows 7 installations on the network, it does not provide anything about missing patches or misconfiguration.

Credentialed Scanning - Patch Auditing

Nessus can be used to perform patch auditing of Windows 7 systems. There are two issues to be aware of when scanning Windows 7 with credentials:

  1. You must enable the "Administrator" account on the system. Even if your account has "Administrator" rights, Nessus needs the actual "Administrator" account in order to have sufficient credentials on the host. [Update: You can either use the local administrator account or a domain account that is member of the "Domain Admins" group.]
  2. The Remote Registry service must be running on the target host. In Windows 7, this is not enabled by default. You must go into the "services" menu and enable it manually. Alternatively, you can configure Nessus to enable and disable this service automatically. Refer to the article titled, "Dynamic Remote Registry Auditing - Now you see it, now you don’t!" for more information.

Once the above two configuration items are in place, you can perform a credentialed scan on the host. The results are very thorough, identifying several missing patches that were not enumerated across the network:

Windows7CredentialedScanresults.png

"Misconfiguration leads to compromise"

Configuration auditing is an important step in the security process. Even though you may have a system that is fully patched, it could still be vulnerable to attack due to misconfiguration (e.g., services running with no authentication, information leakage, etc.).

Windows7AuditResults.png

Above you can see there are several vulnerabilities as a result of various configuration settings (Each red, yellow, and blue bar along the bottom represents a vulnerability detected by Nessus. Clicking on the arrows on the left or right hand side allows you to scroll through them). Tenable offers two sets of audit policies for Windows 7, 3 for the EC (Enterprise Client) version of Microsoft's security guidelines, and 3 for the SSLF (Specialized Security Limited Functionality) guidelines. The above scan results represent the "EC Desktop" guidelines.

The next logical question is, "Is there a way to implement the configuration changes across my environment?". Fortunately, Microsoft provides predefined security templates for all operating systems, including Windows 7. By applying these templates using the MMC console, you can apply the settings that match the .audit files provided for Nessus.

Conclusion

It is likely that we will see Windows 7 gain widespread adoption in the enterprise. Nessus is able to accurately scan for Windows 7, identifying it on the network via OS fingerprinting to flag any rogue installations not under patch management. For managed machines, Nessus fully supports local patch checks and configuration audits to ensure that the systems are kept up to date with software patches and that the appropriate security settings have been applied.