Hi Jason,
On Feb 19, 2008, at 8:39 AM, Jason Haar wrote:
> Hi there
>
> [reposted: last attempt blackholed after being delivered to
> 66.240.11.103]
>
> We've been noticing Nessus incorrectly reporting a tonne of Windows
> vulnerabilities on our fully patched XP workstations, and I've figured
> out why.
>
> It appears nessus now requires that you run it using a local admin
> account to get the correct results, as a whole bunch of tests now
> involve looking at the version numbers of DLL files, etc - something
> that has to be done via connecting to the admin$ share.
>
> e.g. we are seeing most (but not all) of our fully patched XP-SP2
> machines showing up as not being patched against ms03-024 (i.e.
> 11787).
> If I re-run the scan using an account that has local admin privs,
> these
> "hits" disappear.
There are two ways to look for the presence of a given Microsoft
patch : either check in the registry that the patch has been applied,
or look at the version of the DLL itself.
Looking at the registry used to be a reliable way of checking for
patches, but it's increasingly becoming less and less of an option :
some 3rd party patch deployment tools apparently do not create the
proper registry entries when applying a patch, there are/were some
problematic patches in the past where the registry entry would be
created, then the patch would make sure it can be applied and then it
would be applied (so if the host is missing a requisite, then the
registry entry would be there but the patch would not be deployed),
and starting with Windows Vista, Microsoft dropped support for getting
patches from the registry altogether and this is something I assume
will also be true for Windows Server 2008.
In fact, for a while Microsoft recommended to check for the version of
the DLLs themselves to make sure that a patch is applied.
So, whenever possible, Nessus does both - it looks at the DLL itself
if it's granted the proper credentials, or it looks at the registry
entry if it does not have enough privileges to read ADMIN$. In the
future, I would not be surprised if it only checked for the version of
the DLLs on disk (some patches deployments are already solely checked
by looking at files on disk, as there are no option to check for it in
the registry).
So you should discuss your policy between your infosec and netops
teams and make sure that infosec has an account with the proper
privileges -- being able to *properly* audit your hosts is definitely
a SOX requirement.
-- Renaud
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
