Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Compliance Auditing with Microsoft PowerShell

Compliance Auditing with PowerShell

Microsoft's PowerShell framework has been part of their product line for quite some time. In recent years, it has played a major role in new operating system versions (such as Window 7 and Windows Server 2008) thanks to its inclusion in common engineering criteria. All future Microsoft server products will have PowerShell support integrated in them by default. This means Microsoft products will benefit from a single management interface, rather than a mixed usage of the registry, WMI, or other system files/utilities.

For those unfamiliar with PowerShell, it's a command-line shell meant to perform administrative tasks using cmdlets. Cmdlets are purpose-built commands designed to accomplish specific tasks for reading registry keys, files, wmi-objects, starting and stopping Windows services and a host of other tasks. A wide range of cmdlets and their usage are documented on Microsoft's website.

The ability to run PowerShell cmdlets remotely opens up interesting possibilities from a compliance perspective. For example, it's now possible to read a file, apply several different filters and determine compliance. You can also run a cmdlet and let the user review the output, then tailor the output as needed. Tenable recently added an AUDIT_POWERSHELL check to Windows compliance checks which allows users to do just that, right from an .audit file. Below is the basic syntax:

<custom_item>
type: AUDIT_POWERSHELL
description: "Powershell check"
value_type: [value_type]
value_data: [value]
powershell_args: ["arguments for powershell.exe"]
(optional) only_show_cmd_output : YES or NO
(optional) check_type : [CHECK_TYPE]
(optional) severity : ["HIGH" or "MEDIUM" or "LOW"]
(optional) powershell_option : CAN_BE_NULL
(optional) powershell_console_file : ["Location of PowerShell console file"]
</item>

Users can opt to audit a specific value or have the check report the entire output of the cmdlet being run. When reporting the output of the cmdlet, users have the option to set the severity of the result using the 'severity' tag.

Powershell Auditing Examples

1. Review security patches

<custom_item>
type: AUDIT_POWERSHELL
description: "Show Installed Hotfix"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : "get-hotfix | Where-Object {$_.Description -ne ''} | select Description,HotFixID,InstalledBy | format-list"
only_show_cmd_output : YES
severity : LOW
</item>

2. Audit a specific value

<custom_item>
type: AUDIT_POWERSHELL
description: "Audit Service Status"
value_type: POLICY_TEXT
value_data: "Running"
powershell_args  : "Get-Service | Where-Object {$_.name -eq 'browser'} | select status"
check_type : CHECK_REGEX
</item>

3. Review system log

<custom_item>
type: AUDIT_POWERSHELL
description: "Review System Log files "
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'get-eventlog -newest 5 -logname system | format-list'
only_show_cmd_output : YES
</item>

4. Show power settings

<custom_item>
type: AUDIT_POWERSHELL
description: "Show Power settings"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'get-wmiobject -namespace root\\cimv2\\power -class Win32_powerplan | select Description,IsActive | format-list'
only_show_cmd_output : YES
</item>

5. Run a WMI method

<custom_item>
type: AUDIT_POWERSHELL
description: "Run WMI method ListWebServiceExtensions() on IIsWebService object"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : '(get-WmiObject -namespace root\\MicrosoftIISv2 -Class IIsWebService).ListWebServiceExtensions().Extensions'
only_show_cmd_output : YES
</item>

6. Get a list of files in a directory

<custom_item>
type: AUDIT_POWERSHELL
description: "Get list of all files within a directory"
value_type: POLICY_TEXT
value_data: ""
powershell_args  : 'Get-ChildItem "C:\\Program Files\\Common Files'
only_show_cmd_output : YES
</item>

7. Review contents of a file

<custom_item>
type : AUDIT_POWERSHELL
description : "Review contents of a file"
value_type : POLICY_TEXT
value_data : ""
powershell_option : CAN_BE_NULL
powershell_args  : "get-content 'D:\Apache2.2\conf\httpd.conf' | \ select-string -pattern '^ *<Directory' -context 0,10"
severity : MEDIUM
only_show_cmd_output: YES
</item>

The listed examples leverage cmdlets typically found in Windows operating systems which supports PowerShell. But, what if we need to audit a product which has its own set of PowerShell cmdlets (e.g., Exchange 2007 or SharePoint 2010)? For such products we need to specify Windows PowerShell Console Files located on the target system. A PowerShell Console File contains properties and registered snap-ins that extend PowerShell’s ability or features. Many of these files also add cmdlets for administering software installed on the system.

An example PowerShell snap-in is Microsoft.Exchange.Management.PowerShell.Admin provided by Microsoft Exchange 2007, which provides useful commands for administering Exchange via PowerShell. By adding support for Powershell Console Files to AUDIT_POWERSHELL, the Windows Compliance Checks plugin can now audit software products like Exchange 2007, SharePoint and others. The “powershell_console_file” keyword can now be used with the AUDIT_POWERSHELL to call a specific PowerShell Console File located on the target system to run various get-* cmdlets, which allows a user to audit the target for compliance.

Exchange Configuration Audit Example #1 – Report Exchange 2007 Server Role:

[root@test]# cat powershell_test.audit
<check_type: "Windows" version : "2">
<group_policy: "Example Powershell Console File Audit">
<custom_item>
type       : AUDIT_POWERSHELL
description: "Disable Unnecessary Exchange Services and Roles"
value_type : POLICY_TEXT
value_data : ""
powershell_args: "get-exchangeserver | select identity,serverrole| format-list"
only_show_cmd_output: YES
powershell_console_file: "C:\Microsoft\Exchange Server\Bin\ExShell.psc1"
info: "Review the server's roles and ensure only necessary services are listed."
</custom_item>
</group_policy>
</check_type>
[root@test bin]# ./nasl -aXt 192.168.1.2 compliance_check.nbin
Windows Compliance Checks, version 2.0.28
Which file contains your security policy : powershell_test.audit
SMB login : administrator
SMB password : ********
SMB domain (optional) : testdomain
"Disable Unnecessary Exchange Services and Roles": [INFO]
Review the server's roles and ensure only necessary services are listed.
Output :
Identity   : EdgeExchange
ServerRole : Edge

Requirements

  • PowerShell must be installed on the target (older OSes do not have it installed by default).
  • WMI must be enabled on the target.
  • Firewall setting "Windows Firewall: Allow inbound remote administration exception" must be enabled.
  • Note: At this time, only get-* cmdlets can be run. Cmdlet aliases (e.g., gwmi) are not supported.

Conclusion

Several compliance audit policies distributed by Tenable are already using the PowerShell functionality described above. For more information, and to download the policies themselves, log in to the Tenable Support Portal and go to the downloads area.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training