Adam,
We try to write every check without an account requirement wherever possible, but for checking files or registry keys, you must have the required access.
I can assure you that all of the Internet Scanner checks that are listed as requiring Administrator access are designed to give a solid vuln/not vuln result. If for whatever reason the check cannot determine one of those two states, an unknown will be recorded and reported to fusion where available. The unknown helps fusion know that we aren't sure, and to go ahead and protect where applicable.
Scanning a domain, with a domain administrator account entered into KnownAccounts, should yield you good results. If the accounts in the Known Accounts file to not have the permissions to (for example) map drives, or enumerate the registry on the remote machine, then your results can be indeterminate as you put it.
One trick you can try, is to map a drive from the scanning machine, to the remote target by hand. Map this drive using the Administrator account, and try your scan again. This drive mapping should give you the required credentials to run registry checks, without entering anything into the KnownAccounts.
If you have examples of some of the Administrator Access checks you are having trouble with, I'd like to hear which ones they are, and possibly exchange the appropriate data to resolve the issues. We really do want you to have the highest possibly accuracy in your scans.
What are the ISS recommendations for scanning untrusted computers? It is my understanding that a client can request a downgrade of encryption. For example from NTLMv2 to LM Hash. Could this then be used to compromise the Administrator or Domain Administrator account used by the scanner if a malicious or compromised computer is scanned where the account already does not exist?
Will the scanner work if the local security policy of the scanner is set not to accept LM negotiations? I assume it wouldn't be able to scan 9x clients then. How much risk would still exist even if NTLMv2 was enforced?
thanks,
-- Gary Flynn Security Engineer - Technical Services James Madison University
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
