Hi John, Nessus and the Security Center have been certified by NIST to perform SCAP audits of Vista and XP:
http://nvd.nist.gov/validation_securitycenter_docs.html It does not get much more official than that. We've also blogged extensively on how you can configure XP and Vista workstations to be audited for FDCC compliance. The FDCC certification process clearly states that you can make exceptions to the FDCC policy, as long as they are justified. NIST allows organizations to make exceptions for tools and software which require deviations from the standard, as long as there is documentation or justification for it. Also, if you think deploying an agent based solution won't have issues with the Vista firewall, let alone working within the Vista security framwork, just because it is on the host, you should do more testing. You will still likely have to end up making a justification for a deviation to the FDCC requirements. Ron Gula Tenable Network Security [EMAIL PROTECTED] wrote: > I was hoping to hear something from Tenable on the issue of scanning a FDCC > Compliant Vista workstation. I've supported and recommended Nessus over the > years, and I would be disappointed if I would have to stop using it. > > Take Care --John > > -- > "When the legend becomes fact, print the legend." > > > -------------- Original message ---------------------- > From: [EMAIL PROTECTED] >> Good Morning everyone, The third step in the blog states "Prohibit use of >> Internet connection firewall on your DNS domain. This setting should either >> be >> "Disabled" or "Not Configured". >> http://blog.tenablesecurity.com/2008/02/testing-windows.html >> >> The problem is FDCC Requires the setting to be Enabled, changing the >> setting >> would cause the workstation to fails FDCC com pliancy because it would fail >> the >> check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm >> >> >> With the potential for my client to have thousands of Vista workstations, >> and >> the requirement to be fully FDCC compliant. I'm not sure how any remote >> vulnerability assessment software can be used without moving to a agent >> based >> scanner. >> >> This is only my two shiny centavos --John van Meter >> >> -- >> "When the legend becomes fact, print the legend." >> >> >> -------------- Original message ---------------------- >> From: Paul Davis <[EMAIL PROTECTED]> >>> Thanks for the update John! Are you good to go now? >>> >>> Paul >>> >>> [EMAIL PROTECTED] wrote: >>>> Good Morning Paul and thank you for the information. >>>> >>>> >>>> 1. To turn off UAC completely, open up the Control Panel, select "User >>> Accounts" and then "Turn User Account Control" to off. This is not >>> possible, >>> because the workstation would no longer be FDCC complient with the failure >>> of >>> CCE-4907-2. >>>> 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the >>>> value >>> to one. >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken >>> FilterPolicy >>>> 3. Remote Registry Service, was set to Manual by default on my Windows >>>> Vista >>> Business workstation , and should have started when something tried to use >>> it. >>>> I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and >>> FDCC-Settings-major-version-1.0 spread sheet and the remote registry >>> service >> is >>> not defined. Starting the service and rerunning a scan for FDCC Compliance >>> doesn't create any new failures. >>>> I set the remote registry service to automatic and rebooted the >>>> workstation. >>> When I reran my Nessus scan had access to the registry. >>>> I still have to verify that the firewall changes don't create FDCC >>>> failures. >>>> >>>> Take Care and Have Fun --John >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> "When the legend becomes fact, print the legend." >>>> >>>> >>>> -------------- Original message ---------------------- >>>> From: Paul Davis <[EMAIL PROTECTED]> >>>>> John, >>>>> >>>>> Have you enabled the "RemoteRegistry" service and followed the other >>>>> steps >>>>> delineated in this blog entry? >>>>> >>>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html >>>>> >>>>> If not, please try it and let me know how it works for you. >>>>> >>>>> Paul >>>>> >>>>> [EMAIL PROTECTED] wrote: >>>>>> Hello Everyone, >>>>>> >>>>>> I have a questions about Nessuses ability to scan a Vista Workstation, >> with >>>>> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The >>> settings >>>>> I would like to talk about is under Security Options \ Run all >> Administrators >>> in >>>>> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security >>> Settings >>>>> Group Policy . The target workstation is a member of a domain, I ran a >> remote >>>>> Nessus scan of my Vista workstation, the scan was ran with a domain >> account. >>>>>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus >>> report >>>>> that It was able to remotely connect to the Windows registry. The only >>>>> FDCC >>>>> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista >> Security >>>>> Settings. >>>>>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode >>>>>> to >> be >>>>> enabled. This setting restrict admin account so that it doesn't have full >>> admin >>>>> rights. >>>>>> Locally you can run a admin task by right clicking on the program >> selecting >>>>> Run as administrators, then selecting allow. >>>>>> Remotely, the Nessus scan reported that it didn't have access to the >>> registry >>>>> and I believe this is due to the User Access Control in Vista restricting >>> admin >>>>> priveleges. >>>>>> Does Tenable have any plans of action to deal with this? >>>>>> >>>>>> Thank You for the information --John >>>>>> >>>>>> >>>>>> -- >>>>>> "When the legend becomes fact, print the legend." >>>>>> _______________________________________________ >>>>>> Nessus mailing list >>>>>> [email protected] >>>>>> http://mail.nessus.org/mailman/listinfo/nessus >>>>>> >>>>> -- >>>>> Best Regards, >>>>> >>>>> Paul Davis >>>>> Research Engineer >>>>> Tenable Network Security Inc >>>>> Phone: 410.872.0555 >>>>> www.tenablesecurity.com >>>>> >>>>> Is your network TENABLE? >>>> >>> -- >>> Best Regards, >>> >>> Paul Davis >>> Research Engineer >>> Tenable Network Security Inc >>> Phone: 410.872.0555 >>> www.tenablesecurity.com >>> >>> Is your network TENABLE? >> _______________________________________________ >> Nessus mailing list >> [email protected] >> http://mail.nessus.org/mailman/listinfo/nessus > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
