RE: [ISSForum] System Scanner

[Sopatyk, Donna]

Title: Message

Hi,   I have made custom scans for many things.  One thing right now that I am struggling with is getting the results back in time.  For instance....I have 2 sessions that I run for a custom registry check on Anti-virus updates, to ensure that they have all updated. One session had 17 servers and the other had 24 servers.  I let it run. The 17 servers had no problem coming back with the results....but the session that had 24 servers kept on running for days.  I evened out the number to 20 and 21 servers.  The session that used to have 24 worked (now 20). Unfortunately, I still waiting for the 2nd session to finish because a server on it's list is down right now.   Lots of tweaking....   Donna Sopatyk Information Security Analyst EDS - Contingency, Security, and Audit -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, October 27, 2003 8:16 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ISSForum] System Scanner We have customized may of the System Scanner Policies.  The two main reasons are the High/Medium/Low  values are not set correctly according to our standards, and the other because of the reporting.  If you set a variable override in the for a check, the vulnerability is still reported.  This causes our high level reports to executive to be incorrect.  For example, if you copy the accountPolicy Policy and modify the variable minimumPasswordLength to change the value to 8 from 6, when you run the new policy against your server, you will still get the oo-account-05 show up in your report as a High value non-compliance setting even if you have changed your server's password length value to 8.  I have had to make a copy of the oo-account-05 check and change the tcl code to reflect the value 8 instead of 6.  That way if your server's setting is correctly set to 8 it will not show up in the report.   My advise is to check your reports for these things too.     Shelley Coughlan Bell Canada Corporate Security Security Operations ----------------------------------------------------- -----Original Message----- From: NEYBERT, KARL (SBIS) [mailto:[EMAIL PROTECTED]] Sent: October 22, 2003 11:02 AM To: Kriss Warner; [EMAIL PROTECTED] Subject: RE: [ISSForum] System Scanner   I like the approach of using custom policies.   Another approach is to break up your scans into smaller groups say 25 or less agents.   This makes more sessions, but you can group the scans by function or geographic region.   That makes them smaller and easier for ISS to run and system administrators to review.   If you use standardized naming for the sessions, you can write a script to copy them off to a website when the applicable system administrators can then review. -----Original Message----- From: Kriss Warner [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2003 2:53 PM To: 'Reeves, Mike'; 'Weiss, Jeffrey H.'; [EMAIL PROTECTED] Subject: RE: [ISSForum] System Scanner Mike: A couple of Questions How many agents are you currently trying to scan concurrently now? What kind of instability are you encountering? As for the CLI,I really don't think That will help with the stability issue Let me know Most problems that I have encountered have been on the Connectivity side of the equation The CLl proves well for scheduling and automating the scans       -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reeves, Mike Sent: Friday, October 17, 2003 8:44 AM To: 'Weiss, Jeffrey H.'; '[EMAIL PROTECTED]' Subject: RE: [ISSForum] System Scanner   I have developed and deployed custom policies. The problem I have been running into is stability issues when running or updating large amounts of agents. Especially using the console. (Mixed results with the CLI also) I guess what I am really looking for is how many agents most people update at a time or how many agents they scan simultaneously with a medium sized policy. Should I completely abandon the console and use CLI exclusively?   Thanks,   Mike  -----Original Message----- From: Weiss, Jeffrey H. [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 10:05 AM To: 'Reeves, Mike'; '[EMAIL PROTECTED]' Subject: RE: [ISSForum] System Scanner Hi, Mike, One approach is to make your own custom policies and then manifest them in System Scanner policies--otherwise, unless you have a monitoring staff, continuously reviewing entire baseline shifts and every possible vulnerability detected wil leave you somewhat fatigued. We did this and it makes it far more manageable. Just my thoughts.... Jeffrey -----Original Message----- From: Reeves, Mike [mailto:[EMAIL PROTECTED]] Sent: Friday, October 17, 2003 8:30 AM To: '[EMAIL PROTECTED]' Subject: [ISSForum] System Scanner   Does anyone have any good best practices using System Scanner in a large environment? I have read through the admin and user guides but I am looking for a way to get the best bang for my buck. Thanks, Mike   This e-mail transmission contains information that is confidential and may be privileged.   It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.

<<attachment: image001.gif>>