Using Nessus Configuration Audits To Test FDCC Compliance
Tenable has recently announced FDCC audit policies for Nessus ProfessionalFeed and Security Center users. These policies help government organizations test Windows XP Pro and Vista desktops against OMB's required configuration settings. This blog entry describes how this testing can be performed with Nessus against the reference Windows XP Pro FDCC virtual machine image.
Required Materials or Software
The following resources are required to perform this testing:
- To perform this test, you need a virtual machine player such as VMware or Virtual PC. This will be used to run the virtual disk images of Windows XP Pro.
- The actual Windows XP Pro images can be obtained from NIST's web site. These are "evaluation" copies of Windows XP, XP Pro and Vista. Make sure your organization is aware of these OS images as unlicensed copies used for testing.
- Nessus 3 or later with a ProfessionalFeed subscription or actively managed by a Security Center is required.
- The FDCC Desktops v90 audit policy is available from the Tenable Support Portal under the "Downloads" button and then under the "Compliance and Audit Files " you will find a link for the "Nessus NIST and FDCC Compliance Audit Policies".
Preparing the FDCC Reference Image
When the system is booted up, you will see the following desktop and end user license agreements:
The default image is very secured in that the firewall is blocking all ports and remote access has been disabled. To enable access and auditing by Nessus, the following steps must be performed:
Choose the Start button, select "Run" and then enter "gpedit.msc". From this new GUI, choose "Computer Configuration", then "Administrative Templates", then "Network", then "Network Connections", then "Windows Firewall" and then finally "Domain Profile/Standard Profile".
Modify the following sections accordingly:
- Enable "Windows Firewall: Allow File and Printer Sharing exception"
- Enable "Windows Firewall: Allow Remote administration exception"
- Disable "Windows Firewall: Do not allow exceptions"
Screen shots of these steps are shown below:
Also keep in mind that the last check of "Domain Profile" or "Standard profile" depends on whether the system is part of a domain or just a standalone machine. By default, the NIST FDCC reference virtual machine is a standalone machine. However, most government agencies make their Windows desktops part of a domain, so if you've configured this VM to be part of a domain, keep in mind there are separate settings for that profile.
After modifying group policy, the following Local Security Policy setting must be changed for non-domain Windows XP desktops: "Network access: Sharing and security model for local accounts". It is located in "Local Security Settings" under: "Local Policies" => "Security Options". According to Microsoft, "This security setting determines how network logons using local accounts are authenticated". See screenshot below:
By default, this option is set to: "Guest only: local users authenticate as guest". Since remote network users are assigned "Guest" access, they do not have the required privileges to perform a credentialed Nessus scan. Switch this setting to "Classic: local users authenticate as themselves" to give remote Nessus credentialed scans the privilege they need.
Customers are also encouraged to run firewalls on their desktops. However, if they are auditing the Windows XP desktop with Nessus, ports 445 and 139 should be left open, or the IP address from the authorized auditing node running Nessus should be trusted.
Configuring Your Nessus Scanner
We will use NessusClient to perform this scan. To perform such an audit, create a scan policy with the credentials of the target server, then select the "Windows Compliance Checks" plugin, make sure that "Enable Plugin Dependencies" is enabled, and then select the FDCC Desktops v90 audit file is selected. Screen shots of this process are shown below:
Although we are focusing on an FDCC configuration audit, the scan could have just as easily implemented tests for other configurations, performed a full patch audit, or launched vulnerability checks.
If you were performing this test with a different Nessus client, or with the Security Center, the same data would need to be completed in your scan policies.
Analyzing the Results
When scanning the FDCC Reference system, testing should show 100% compliance with all required OMB settings. Below are two reports of a scanned Windows XP Pro FDCC reference system.
The first report shows 100% compliance with all settings.
The second report shows several issues which reflect non-compliant configurations For the second test we changed several settings to something less than required by the FDCC and performed a new scan.
Both reports are HTML compliant and can be viewed with web browsers.
If these scans were performed with the Security Center, the scans themselves could be scheduled with the proper credentials, and specific non-compliant settings be reported across thousands of desktops for analysis and action by auditors and asset owners.
For More Information
This test did not consider the FDCC desktop firewall audit requirements. Tenable has produced a policy for FDCC desktop firewalls directly based on the NIST SCAP recommended configuration guidelines. However, in order to work with domains, patch management systems and other Microsoft centric solutions, most organizations will need to make exceptions to this policy. Organizations who do make exceptions should modify the Nessus audit policy to reflect their desired firewall settings.