Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Using Nessus Configuration Audits To Test FDCC Compliance

Tenable has recently announced FDCC audit policies for Nessus ProfessionalFeed and Security Center users. These policies help government organizations test Windows XP Pro and Vista desktops against OMB's required configuration settings. This blog entry describes how this testing can be performed with Nessus against the reference Windows XP Pro FDCC virtual machine image.

Required Materials or Software

The following resources are required to perform this testing:

  1. To perform this test, you need a virtual machine player such as VMware or Virtual PC. This will be used to run the virtual disk images of Windows XP Pro.
  2. The actual Windows XP Pro images can be obtained from NIST's web site. These are "evaluation" copies of Windows XP, XP Pro and Vista. Make sure your organization is aware of these OS images as unlicensed copies used for testing.
  3. Nessus 3 or later with a ProfessionalFeed subscription or actively managed by a Security Center is required.
  4. The FDCC Desktops v90 audit policy is available from the Tenable Support Portal under the "Downloads" button and then under the "Compliance and Audit Files " you will find a link for the "Nessus NIST and FDCC Compliance Audit Policies".

Preparing the FDCC Reference Image

When the system is booted up, you will see the following desktop and end user license agreements:

0fdcc_winxp_desktop 1fdcc_accept_msft_license
VM Desktop
EULA

The default image is very secured in that the firewall is blocking all ports and remote access has been disabled. To enable access and auditing by Nessus, the following steps must be performed:

Choose the Start button, select "Run" and then enter "gpedit.msc". From this new GUI, choose "Computer Configuration", then  "Administrative Templates", then  "Network", then "Network Connections", then  "Windows Firewall" and then finally "Domain Profile/Standard Profile".

Modify the following sections accordingly:

  • Enable "Windows Firewall: Allow File and Printer Sharing exception"
  • Enable "Windows Firewall: Allow Remote administration exception"
  • Disable "Windows Firewall: Do not allow exceptions"

Screen shots of these steps are shown below:

2fdcc_enable_print_file_sharing 3fdcc_enable_remote_admin_exp 4fdcc_disable_do_not_allow_exceptio
Print/File
Sharing
Enable
Remote Admin
No
Exceptions

Also keep in mind that the last check of "Domain Profile" or "Standard profile" depends on whether the system is part of a domain or just a standalone machine. By default, the NIST FDCC reference virtual machine is a standalone machine. However, most government agencies make their Windows desktops part of a domain, so if you've configured this VM to be part of a domain, keep in mind there are separate settings for that profile.

After modifying group policy, the following Local Security Policy setting must be changed for non-domain Windows XP desktops: "Network access: Sharing and security model for local accounts". It is located in "Local Security Settings" under: "Local Policies" => "Security Options". According to Microsoft, "This security setting determines how network logons using local accounts are authenticated". See screenshot below:

Local_Security_Policy

By default, this option is set to: "Guest only: local users authenticate as guest". Since remote network users are assigned "Guest" access, they do not have the required privileges to perform a credentialed Nessus scan. Switch this setting to "Classic: local users authenticate as themselves" to give remote Nessus credentialed scans the privilege they need.

Customers are also encouraged to run firewalls on their desktops. However, if they are auditing the Windows XP desktop with Nessus, ports 445 and 139 should be left open, or the IP address from the authorized auditing node running Nessus should be trusted.

Configuring Your Nessus Scanner

We will use NessusClient to perform this scan. To perform such an audit, create a scan policy with the credentials of the target server, then select the "Windows Compliance Checks" plugin, make sure that "Enable Plugin Dependencies" is enabled, and then select the FDCC Desktops v90 audit file is selected. Screen shots of this process are shown below:

5fdcc_supply_credentials 6fdccselect_windows_compliance_chec 7fdccselect_fdcc_audit_file
Credentials
Windows Compliance
Plugin
FDCC Audit
Policy

Although we are focusing on an FDCC configuration audit, the scan could have just as easily implemented tests for other configurations, performed a full patch audit, or launched vulnerability checks.

If you were performing this test with a different Nessus client, or with the Security Center, the same data would need to be completed in your scan policies.

Analyzing the Results

When scanning the FDCC Reference system, testing should show 100% compliance with all required OMB settings. Below are two reports of a scanned Windows XP Pro FDCC reference system.

The first report shows 100% compliance with all settings.

The second report shows several issues which reflect non-compliant configurations For the second test we changed several settings to something less than required by the FDCC and performed a new scan.

Both reports are HTML compliant and can be viewed with web browsers.

Download FDCC_WinXP_Compliance_Report.html

Download FDCC_WinXP_Non-Compliance_Report.html

If these scans were performed with the Security Center, the scans themselves could be scheduled with the proper credentials, and specific non-compliant settings be reported across thousands of desktops for analysis and action by auditors and asset owners. 

For More Information

This test did not consider the FDCC desktop firewall audit requirements. Tenable has produced a policy for FDCC desktop firewalls directly based on the NIST SCAP recommended configuration guidelines. However, in order to work with domains, patch management systems and other Microsoft centric solutions, most organizations will need to make exceptions to this policy. Organizations who do make exceptions should modify the Nessus audit policy to reflect their desired firewall settings.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training