IT auditors, penetration testers, and incident responders often ask if a system they are analyzing is managed. A managed system is one that is being looked after, updated and maintained by an IT staff of some sort. An unmanaged system is one that is on the network, but perhaps has been forgotten, isn’t authorized or has some other reason for it not to be there or updated by anyone else.
Security findings for managed systems and unmanaged systems are reported differently. For an unmanaged system, the recommendation is to make the system managed and bring it into a secured state. For security issues with managed systems, the recommendation is to alter the current management processes to make them more secure.
Unfortunately, there is no “under management” test that can easily be automated. This blog entry will describe some of the different types of data that can be gathered from logs, Nessus scanning and Passive Vulnerability Scanner sniffing that can help identify systems with and without management.
How old are those vulnerabilities?
We have all seen “bad” patching at both large and small networks, but if you run across a system with vulnerabilities from 2009 or other years past, it’s likely not being managed.
Tenable’s SecurityCenter can chart and report on vulnerabilities based on their CVE-ID or Microsoft patch ID. These IDs include the year they were issued, which means dashboards and reports can be created that shows systems with issues from 2008, 2009, etc.
SecurityCenter can also be configured to look for “newly found” vulnerabilities that are for vulnerabilities from many years ago. This can give you real-time warnings when “new” systems contain older vulnerabilities.
Is there evidence of a patch or configuration management software?
Nessus and the Passive Vulnerabiltiy Scanner (PVS) have many checks that can identify if a system is participating in a domain or if it is running a variety of management agents. Nessus configuration audits can also be used to look for:
- Specific management agent processes and their configurations
- Registry and file settings associated with asset management
- Registry settings and files to test for known bad configurations such as factory settings and pre-“gold disk” values
The PVS has many useful real-time checks that identify Microsoft GPOs being pushed as well as the actual GPO servers. Below is a screen shot of GPO pushes detected by the PVS and logged to the LCE:
What do the logs say?
Tenable’s Log Correlation Engine (LCE) gathers logs from many different systems. These logs indicate changes such as patches being installed, registry changes made and files being modified. Below is a screen shot of changes detected over a 24-hour period through log and system analysis by the LCE:
If a system has no logs being gathered for it, it might be managed, but if you see logs from a system, you know that the system is likely under management since adding an agent or getting logs off of a system requires configuration by someone in IT.
I received several tips with pros and cons from Nessus auditors that are listed here:
DNS name – on some networks, a node will only get an official DNS name if the asset is known and managed by the IT group. Often, the DNS name will have code that indicates the function or purpose of the system. On some networks, every IP address resolves to something, so you can’t always use this.
DNS Queries – A system that queries outdated DNS servers is likely a system that isn’t configured correctly and isn’t being managed. Passively, the PVS can log which DNS servers a system is using. When most systems on a network are querying the few correct DNS servers, it is easy to identify the systems that aren’t.
IP Range – Organizations that have modern switching services leverage DHCP IP address assignment to ensure that the VLANs and netmasks are given out to authorized systems. Guest devices that aren’t managed are given leases with addresses in ranges that are different than other servers.
Out of Date SSL Certificates – Systems that leverage SSL certificates for security often depend on Certificate Authority (CA) certificates that have an expiration date. An expiring certificate that does not get updated can indicate a system that isn’t under management. Nessus identifies these types of certificates and the PVS can sniff them as well.
Share your ideas
If you have a technique or method to identify managed vs. unmanaged devices, please feel free to share this with other Tenable customers on our Discussions Portal.
Tenable has also posted a dashboard for SecurityCenter users that tracks unmanaged hosts based on Nessus scans.