Hi Jim,
We've blogged about how Windows systems should be configured to allow
scanning by Nessus for FDCC audits. The blog is at:
http://blog.tenablesecurity.com/2007/09/using-nessus-co.html
These settings are necessary for allowing registry access, as well as
allowing access through any local firewall rules. These settings are
required for config auditing by Nessus Direct Feed users or
organizations who have standardized on the Security Center for
enterprise config auditing.
As for FDCC "approval" of configuration deviations, you should ask your
auditor's or NIST for clarification on this policy. Out of the box, the
FDCC images and configuration requirements make it difficult to
participate in a domain and perform software updates through traditional
Microsoft techniques used in the federal government. Tenable
participates and tracks NIST SCAP/FDCC content, requirements and
procedures which are currently in draft. The guidance we've received is
to tell our customers to document any required operational deviations
from SCAP FDCC policy and submit these to NIST along with their audit
results.
Ron Gula, CTO
Tenable Network Security
One problem I keep stubbing my toe on is Remote Registry.
As all of you are already aware, Nessus needs remote access to the
target registry to determine if various Hotfixes and patches have been
applied. Now many secured environments have decided to turn off the
Remote Registry service. The new OMB mandated FDCC "approved" desktop
image for Federal desktops has Remote Registry turned off by default.
My question is how can Remote Registry be temporarily turned on for
scanning purposes? Can an AD GP be used for this purpose?
I've searched the Microsoft site and found
http://support.microsoft.com/kb/314837
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
