Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Enhanced Windows Compliance Auditing

The Nessus 3 Direct Feed was updated today with enhanced functionality for Windows compliance checks. This blog entry discusses the new features and has example .audit text to illustrate them, including a test case for the recent Microsoft update for 2007 Daylight Savings Time. These changes only effect Windows audits.

Multiple Potential Compliance Values for AUDIT_POLICY Items

Both the "value" and "value_data" keywords can now accept multiple values within an "AUDIT_POLICY" context. If any of these values are present in the audited system, then the system passes the audit. Values are separated with "|" characters. Here is an example for a simple built-in test as well as a custom item test:

  name: "Audit logon events"
  value: "Failure" | "Success, Failure"

   description: "Audit logon events"
   value_type: AUDIT_SET
   value_data: "Failure" | "Success, Failure"
   audit_policy: AUDIT_LOGON

Both examples would pass a Windows server if auditing only logged login failures, or if logging of login failures and successes were performed.


A new value type of POLICY_BINARY is now available to test REG_BINARY registry settings. Using the regedit.exe tool, if you encounter a binary registry setting which requires testing, strip out the spaces and add it in to the "value_data" content.

Below is an example custom item for testing the application of the recent Microsoft 2007 Daylight Savings Time update. It uses a POLICY_BINARY setting to test for a value of "00 00 03 00 02 00 02 00 0000 00 00 00 00 00 00".

  description: "2007 Daylight Savings Patch Applied"
  value_type: POLICY_BINARY
  value_data: "00000300020002000000000000000000"
  reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
  reg_item: "DaylightStart"

Service Checks support CAN_BE_NULL or CAN_NOT_BE_NULL Flags

Prior to this update, a "reg_option" value of CAN_BE_NULL or CAN_NOT_BE_NULL was only supported on Registry Setting, Registry Permissions, File Permissions, File Content Checks and File Content Check NOTs audits.

This release now supports a new optional "svc_option" tag with values of CAN_BE_NULL or CAN_NOT_BE_NULL for service policy audits. This is useful for cases where the lack of a service running doesn't violate being compliant, or specifying that a certain service has to be running.

Optionally Ignoring Access Control List Inheritance

This release also includes more flexibility when auditing access control list (ACL) inheritance. The following ACLs can currently be audited:

  • file_acl
  • registry_acl
  • service_acl

Each of these can now contain an "acl_inheritance" value of:

  • not inherited
  • inherited
  • not used

This can force an audit of a file, registry or service ACL to not care, if the actual list was inherited or to specifically state the ACL inheritance type.

Receiving The Latest Plugins

SecurityCenter and Nessus 3 Direct Feed users should update their plugins after reading this blog to receive the new functionality. If your SecurityCenter is performing daily updates of plugins, then a manual plugin update will be required if you wish to use the new functionality immediately.

For More Information

To purchase Direct Feed (now called ProfessionalFeed), please visit the Tenable Store. The SecurityCenter is available for the Red Hat operating system and can manage multiple Nessus scanners, perform configuration audits for compliance reporting, process network IDS logs, and also manage multiple Passive Vulnerability Scanners and Log Correlation Engines.

To learn more about auditing Windows servers, please refer to these blog posts and webinar:

Tenable's 80+ page Real-Time Compliance Monitoring paper is available to current and potential customers and discusses for logging, network monitoring, vulnerability scanning and configuration auditing can help monitor PCI, SOX, FISMA, NERC and many other compliance standards.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.