Testing Windows Vista systems for FDCC compliance with Nessus
Previously, I posted a blog which showed how Nessus Direct Feed and Security Center users could audit Windows XP Pro systems against FDCC compliance settings. In this blog entry, we will show how this can also be accomplished for Windows Vista systems. As with the previous blog, we will be performing audits against the reference Virtual PC systems available from NIST.
Configuring Your Vista Target
To enable scanning of a Vista system with Nessus, the following steps can be taken. These steps ensure that the firewall is not blocking connections from the Nessus scanner, that UAC has been modified to enable remote connections and that the remote registry service has been enabled. The last two steps are only required if you are working with a stand-alone Vista system and not one that is participating in a domain.
If you obtained the test image from NIST, you will be greeted with the following start up screen:
The first item to modify is in the firewall settings. The File and Printer sharing exception should be enabled. This will allow Nessus to connect to the Vista system over the network.
The second item is to enable the inbound file and printer exception via the gpedit.msc tool. This tool can be launched from the "Run.." prompt. To navigate to the setting which needs to be changed, follow Local Computer Policy - Administrative Templates - Network - Network Connections - Windows Firewall - Standard Profile - Windows Firewall : Allow inbound file and printer exception.
Third, when you are editing the firewall policy, make sure that the setting to prohibit use of the Internet Connection Firewall on your DNS domain network is also disabled. From within the gpedit.msc tool, you can navigate to this setting by following Local Computer Policy - Administrative Templates - Network - Network Connections - Prohibit use of Internet connection firewall on your DNS domain. This setting should either be "Disabled" or "Not Configured".
The next item is to modify Vista's UAC to allow Nessus to perform an audit. There are two choices here. You can simply disable UAC 100%, or you can modify a registry setting to allow Nessus audits.
To turn off UAC completely, open up the Control Panel, select "User Accounts" and then "Turn User Account Control" to off.
Alternatively, you can add a new registry key named "LocalAccountTokenFilterPolicy" and set its value to "1". This key should be created in the registry at the following location:
For more information on this technique, please consider the following MSDN blog entry:
The last step is to enable the Remote Registry service. This service is disabled by default. You can enable it for a one-time audit, or enable it permanently such that it will start if the computer is rebooted.
Performing the Test With Nessus
To perform an audit of the required Vista FDCC settings, Tenable Direct Feed or Security Center customers can download the "FDCC Windows Vista Desktop" audit policy from the Tenable Support Portal. A scanning policy that enabled the Windows Compliance Check plugin (ID #21156 in the Policy Compliance family), included credentials for the Windows Vista system(s) being scanned and also included the FDCC_Vista_v2.audit policy file should be created in either the Security Center or Nessus Client. Screen shots of this sort of configuration for the Nessus Client are shown below:
Below are two separate HTML based Nessus Client 3.0 reports generated from scans made with this policy against an FDCC compliant and non-compliant target Vista system:
Nessus, SCAP and FDCC Certification
If you have been tracking the NIST SCAP and FDCC programs, you will know that only a few vendors have been certified at this time to perform FDCC audits. Tenable is about to undergo FDCC certification for the Security Center product.
In the mean time though, Tenable has released audit content for Nessus based on FDCC and other types of NIST SCAP checks. Tenable currently has several large federal customers using this content to audit more than 25k desktops and servers in a single distributed Nessus scan being managed by the Security Center.
One of the requirements of FDCC certification is to be able to parse the XCCDF content. Below is a screen shot of a new tool that will shortly be available to Security Center customers which can read the XCCDF content.
With this tool, a Security Center user will be able to work directly with the OVAL content distributed by NIST and produce a compliant Nessus audit file. Also, customers will be able to optionally include reference content (such as FISMA, DISA, ISO and other indexes) into the actual Nessus audit file. This data will automatically be parsed and available to Security Center users after these scans are performed.
For More Information
The following links below reference previous blog entries about the FDCC and NIST SCAP program.