Hi Jim, We've blogged about how Windows systems should be configured to allow scanning by Nessus for FDCC audits. The blog is at:
http://blog.tenablesecurity.com/2007/09/using-nessus-co.html These settings are necessary for allowing registry access, as well as allowing access through any local firewall rules. These settings are required for config auditing by Nessus Direct Feed users or organizations who have standardized on the Security Center for enterprise config auditing. As for FDCC "approval" of configuration deviations, you should ask your auditor's or NIST for clarification on this policy. Out of the box, the FDCC images and configuration requirements make it difficult to participate in a domain and perform software updates through traditional Microsoft techniques used in the federal government. Tenable participates and tracks NIST SCAP/FDCC content, requirements and procedures which are currently in draft. The guidance we've received is to tell our customers to document any required operational deviations from SCAP FDCC policy and submit these to NIST along with their audit results. Ron Gula, CTO Tenable Network Security > One problem I keep stubbing my toe on is Remote Registry. > > As all of you are already aware, Nessus needs remote access to the > target registry to determine if various Hotfixes and patches have been > applied. Now many secured environments have decided to turn off the > Remote Registry service. The new OMB mandated FDCC "approved" desktop > image for Federal desktops has Remote Registry turned off by default. > > > > My question is how can Remote Registry be temporarily turned on for > scanning purposes? Can an AD GP be used for this purpose? > > I've searched the Microsoft site and found > http://support.microsoft.com/kb/314837 _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
