Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Testing Windows Vista systems for FDCC compliance with Nessus

Previously, I posted a blog which showed how Nessus Direct Feed and Security Center users could audit Windows XP Pro systems against FDCC compliance settings. In this blog entry, we will show how this can also be accomplished for Windows Vista systems. As with the previous blog, we will be performing audits against the reference Virtual PC systems available from NIST.

Configuring Your Vista Target

To enable scanning of a Vista system with Nessus, the following steps can be taken. These steps ensure that the firewall is not blocking connections from the Nessus scanner, that UAC has been modified to enable remote connections and that the remote registry service has been enabled. The last two steps are only required if you are working with a stand-alone Vista system and not one that is participating in a domain.

If you obtained the test image from NIST, you will be greeted with the following start up screen:

0fdcc_vista_desktop

The first item to modify is in the firewall settings. The File and Printer sharing exception should be enabled. This will allow Nessus to connect to the Vista system over the network.

3fdcc_vista_fileshare2_2

The second item is to enable the inbound file and printer exception via the gpedit.msc tool. This tool can be launched from the "Run.." prompt. To navigate to the setting which needs to be changed, follow Local Computer Policy - Administrative Templates - Network - Network Connections - Windows Firewall - Standard Profile - Windows Firewall : Allow inbound file and printer exception.

Third, when you are editing the firewall policy, make sure that the setting to prohibit use of the Internet Connection Firewall on your DNS domain network is also disabled. From within the gpedit.msc tool, you can navigate to this setting  by following Local Computer Policy - Administrative Templates - Network - Network Connections - Prohibit use of Internet connection firewall on your DNS domain. This setting should either be "Disabled" or "Not Configured".

The next item is to modify Vista's UAC to allow Nessus to perform an audit. There are two choices here. You can simply disable UAC 100%, or you can modify a registry setting to allow Nessus audits.

To turn off UAC completely, open up the Control Panel,  select "User Accounts" and then "Turn User Account Control" to off. 

Alternatively, you can add a  new registry key named "LocalAccountTokenFilterPolicy" and set its value to "1". This key should be created in the registry at the following location:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

For more information on this technique, please consider the following MSDN blog entry:

The last step is to enable the Remote Registry service. This service is disabled by default. You can enable it for a one-time audit, or enable it permanently such that it will start if the computer is rebooted.

Performing the Test With Nessus

To perform an audit of the required Vista FDCC settings, Tenable Direct Feed or Security Center customers can download the "FDCC Windows Vista Desktop" audit policy from the Tenable Support Portal. A scanning policy that enabled the Windows Compliance Check plugin (ID #21156 in the Policy Compliance family), included credentials for the Windows Vista system(s) being scanned and also included the FDCC_Vista_v2.audit policy file should be created in either the Security Center or Nessus Client. Screen shots of this sort of configuration for the Nessus Client are shown below:

Below are two separate HTML based Nessus Client 3.0 reports generated from scans made with this policy against an FDCC compliant and non-compliant target Vista system:

Nessus, SCAP and FDCC Certification

If you have been tracking the NIST SCAP and FDCC programs, you will know that only a few vendors have been certified at this time to perform FDCC audits. Tenable is about to undergo FDCC certification for the Security Center product.

In the mean time though, Tenable has released audit content for Nessus based on FDCC and other types of NIST SCAP checks. Tenable currently has several large federal customers using this content to audit more than 25k desktops and servers in a single distributed Nessus scan being managed by the Security Center.

One of the requirements of FDCC certification is to be able to parse the XCCDF content. Below is a screen shot of a new tool that will shortly be available to Security Center customers which can read the XCCDF content.

With this tool, a Security Center user will be able to work directly with the OVAL content distributed by NIST and produce a compliant Nessus audit file. Also, customers will be able to optionally include reference content (such as FISMA, DISA, ISO and other indexes) into the actual Nessus audit file. This data will automatically be parsed and available to Security Center users after these scans are performed.

For More Information

The following links below reference previous blog entries about the FDCC and NIST SCAP program.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training