Advanced Nessus 3 WMI Checks Against Windows Systems

Tenable Network Security has recently added the ability to query remote Windows systems via the Windows Management Instrumentation (WMI) protocol. This allows a credentialed Nessus 3 scan to perform some very advanced configuration audits of Windows systems. This blog entry discusses WMI, the initial checks developed by Tenable and how this can impact consultants and enterprise users of Nessus and the Security Center.

What is WMI?

WMI is a kernel level instrumentation technology for Windows. It allows  remote applications to query Windows systems for performance and configuration information. It also allows remote applications to set configuration data. The types of data that can be remotely queried and modified include:

• Publishing kernel instrumentation
• Configuring device settings
• Providing kernel-side event notification
• Publishing custom data
• Allowing administrators to set data security
• Accessing instrumentation by way of WMI

For more information about WMI, please visit Microsoft's web site on the technology.

Initial Set of Nessus Plugins

Tenable's Research team has published seven new plugins which make use of WMI queries. These plugins are listed here:

• #24269 WMI Available - Checks that a WMI query can be performed to the scanned Windows system.
• #24270 Computer Manufacturer Information - Obtains the specific make and model of the scanned device such as "Manufacturer : Dell Computer Corporation" and "Computer Model : Dimension 8300".
• #24271 SMB share files enumerated (via WMI) - This lists all remote files on the scanned server and is much faster than performing a similar query through SMB.
• #24272 Network Interface Enumeration - This plugin lists all network interfaces on the system and their IP addresses associated with them.
• #24273 Remote Copy of Windows Not Activated - Detects installed versions of Microsoft that have not been activated and will become disabled.
• #24272 USB Drives Enumeration - Lists all USB storage drives and their names.
• #24282 DEP is Disabled - The Data Execution Prevention technology that helps mitigate buffer overflows and system crashes is disabled.

Below is an example screen shot of a USB Drive audit from an OS X version of Nessus:

Availability

Tenable plans on developing many more checks of these types in the near future. These checks have been currently made available to Direct Feed customers and Registered Feed users will obtain them in seven days.

Nessus 3 is required to run these checks. It does not work with Nessus 2. If your organization is using a Managed Security Provider or Network Access Control product which makes use of Nessus 2, please ensure that they have licensed Nessus 3 from Tenable Network Security for their solution.

To the best of our knowledge, Tenable is the first company to ship a platform independent WMI implementation which does not require anything to be installed on the remote Windows system.

Couldn't Nessus do this before?

The remote patch auditing and configuration ability of Nessus 3 (for both patch auditing and configuration compliance checks) was performed over SMB. This allowed Tenable researchers to query patch information, open files, open registry settings and check the security settings of these devices. Through SMB alone though, there were many types of Windows information relevant to security that could not be queried. Tenable's implementation of WMI for Nessus 3 opens up many new types of checks.

Why is this important for consultants and enterprise users of Nessus?

The seven plugins released today should be very useful to both Security Center enterprise customers as well as consultants who scan large Windows networks. For Security Center users, considering the following possibilities:

• The data obtained by the make and manufacturer can be used to create dynamic asset lists. This can allow you to create asset lists based on specific manufacturer models, laptop vendors and so on.
  
• Network interface enumeration can be used to find Windows computers that have IP addresses not on your local network. This could allow you to also find a node that has both a wired connection with a valid IP and a wireless connection which has an unauthorized IP.
• Listing where all USB drives are located within an organization can also be of great use, especially in the hunt for sensitive data located in the wrong places or wrong organizations.

If you are a consultant or service provider and offer remote scans for Windows devices, these new checks can add great value to the gathered results. If your customers are asking for this sort of technology, you should also consider adding Nessus compliance checks to the offering, which is available through the Nessus Direct Feed.