I am looking for a list of the specific access rights needed by a
windows domain account to successfully read the registry and system file
versions. I am referencing smb_nt_ms06-001.nasl, ID 20382.
Nessus docs suggest that the "Classic" security model needs to be
invoked and that an account needs to be an "Administrator", either in
the local admin group or a member of the domain admin group, which in
turn is added to the local admin group.
Through domain policy, I can override local settings and force the
"Classic" security model.
Instead of simply tossing the nessus scanning user account into the
domain admin group, I would like to assign the minimum access rights. I
can use domain policy to give nessus user full access to the
....\SecurePipeServers\winreg key. This assumes Remote Registry service
is running. Domain policy 'could' forcefully enable this service as
well. Would granting "Log on as Service" be equivalent to modifying
this registry key?
To read file system version numbers relies on "File and Printer
sharing" to be available and accessible. Again domain policy 'could'
enable this as well as change the Scope of the exception to include a
list of nessus scanners if the local firewall is enabled (XPSP2 and
greater). What additional rights are required to give the nessus user
the ability to read file versions?
High level steps for a custom domain policy
Assign nessus user to nessusgroup
mod winreg key to include nessusgroup
start remote registry
start file and print sharing with local firewall
mod exception list to nessus scanner Ips
what step(s) to allow nessusgroup file system version reads access?
Regards,
Drew
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
