Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Testing Windows Vista systems for FDCC compliance with Nessus

Previously, I posted a blog which showed how Nessus Direct Feed and Security Center users could audit Windows XP Pro systems against FDCC compliance settings. In this blog entry, we will show how this can also be accomplished for Windows Vista systems. As with the previous blog, we will be performing audits against the reference Virtual PC systems available from NIST.

Configuring Your Vista Target

To enable scanning of a Vista system with Nessus, the following steps can be taken. These steps ensure that the firewall is not blocking connections from the Nessus scanner, that UAC has been modified to enable remote connections and that the remote registry service has been enabled. The last two steps are only required if you are working with a stand-alone Vista system and not one that is participating in a domain.

If you obtained the test image from NIST, you will be greeted with the following start up screen:

0fdcc_vista_desktop

The first item to modify is in the firewall settings. The File and Printer sharing exception should be enabled. This will allow Nessus to connect to the Vista system over the network.

3fdcc_vista_fileshare2_2

The second item is to enable the inbound file and printer exception via the gpedit.msc tool. This tool can be launched from the "Run.." prompt. To navigate to the setting which needs to be changed, follow Local Computer Policy - Administrative Templates - Network - Network Connections - Windows Firewall - Standard Profile - Windows Firewall : Allow inbound file and printer exception.

Third, when you are editing the firewall policy, make sure that the setting to prohibit use of the Internet Connection Firewall on your DNS domain network is also disabled. From within the gpedit.msc tool, you can navigate to this setting  by following Local Computer Policy - Administrative Templates - Network - Network Connections - Prohibit use of Internet connection firewall on your DNS domain. This setting should either be "Disabled" or "Not Configured".

The next item is to modify Vista's UAC to allow Nessus to perform an audit. There are two choices here. You can simply disable UAC 100%, or you can modify a registry setting to allow Nessus audits.

To turn off UAC completely, open up the Control Panel,  select "User Accounts" and then "Turn User Account Control" to off. 

Alternatively, you can add a  new registry key named "LocalAccountTokenFilterPolicy" and set its value to "1". This key should be created in the registry at the following location:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

For more information on this technique, please consider the following MSDN blog entry:

The last step is to enable the Remote Registry service. This service is disabled by default. You can enable it for a one-time audit, or enable it permanently such that it will start if the computer is rebooted.

Performing the Test With Nessus

To perform an audit of the required Vista FDCC settings, Tenable Direct Feed or Security Center customers can download the "FDCC Windows Vista Desktop" audit policy from the Tenable Support Portal. A scanning policy that enabled the Windows Compliance Check plugin (ID #21156 in the Policy Compliance family), included credentials for the Windows Vista system(s) being scanned and also included the FDCC_Vista_v2.audit policy file should be created in either the Security Center or Nessus Client. Screen shots of this sort of configuration for the Nessus Client are shown below:

Below are two separate HTML based Nessus Client 3.0 reports generated from scans made with this policy against an FDCC compliant and non-compliant target Vista system:

Nessus, SCAP and FDCC Certification

If you have been tracking the NIST SCAP and FDCC programs, you will know that only a few vendors have been certified at this time to perform FDCC audits. Tenable is about to undergo FDCC certification for the Security Center product.

In the mean time though, Tenable has released audit content for Nessus based on FDCC and other types of NIST SCAP checks. Tenable currently has several large federal customers using this content to audit more than 25k desktops and servers in a single distributed Nessus scan being managed by the Security Center.

One of the requirements of FDCC certification is to be able to parse the XCCDF content. Below is a screen shot of a new tool that will shortly be available to Security Center customers which can read the XCCDF content.

With this tool, a Security Center user will be able to work directly with the OVAL content distributed by NIST and produce a compliant Nessus audit file. Also, customers will be able to optionally include reference content (such as FISMA, DISA, ISO and other indexes) into the actual Nessus audit file. This data will automatically be parsed and available to Security Center users after these scans are performed.

For More Information

The following links below reference previous blog entries about the FDCC and NIST SCAP program.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.