Thanks for the update Ron, the last I heard was OMB required all workstations that process government information to be FDCC Compliant.
To be FDCC Compliant the workstation had to be configured with all of the settings, if a single setting is changed the workstation is not FDCC compleant. I haven't heard of a deviation policy form OMB being released, so to the best of my knowledge deviation from the FDCC settings are not allowed. On XP if the connection a outbound connection the corrosponding inbound connection is allow. On Vista you might have to configure the inbound section of the firewall to work. -- "When the legend becomes fact, print the legend." -------------- Original message ---------------------- From: Ron Gula <[EMAIL PROTECTED]> > Hi John, > > Nessus and the Security Center have been certified by NIST > to perform SCAP audits of Vista and XP: > > http://nvd.nist.gov/validation_securitycenter_docs.html > > It does not get much more official than that. > > We've also blogged extensively on how you can configure XP > and Vista workstations to be audited for FDCC compliance. > > The FDCC certification process clearly states that you > can make exceptions to the FDCC policy, as long as they are > justified. NIST allows organizations to make exceptions for > tools and software which require deviations from the > standard, as long as there is documentation or justification > for it. > > Also, if you think deploying an agent based solution won't > have issues with the Vista firewall, let alone working within > the Vista security framwork, just because it is on the host, > you should do more testing. You will still likely have to > end up making a justification for a deviation to the FDCC > requirements. > > Ron Gula > Tenable Network Security > > > > > > > [EMAIL PROTECTED] wrote: > > I was hoping to hear something from Tenable on the issue of scanning a FDCC > Compliant Vista workstation. I've supported and recommended Nessus over the > years, and I would be disappointed if I would have to stop using it. > > > > Take Care --John > > > > -- > > "When the legend becomes fact, print the legend." > > > > > > -------------- Original message ---------------------- > > From: [EMAIL PROTECTED] > >> Good Morning everyone, The third step in the blog states "Prohibit use of > >> Internet connection firewall on your DNS domain. This setting should > >> either > be > >> "Disabled" or "Not Configured". > >> The > >> > >> The problem is FDCC Requires the setting to be Enabled, changing the > >> setting > >> would cause the workstation to fails FDCC com pliancy because it would > >> fail > the > >> check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm > >> > >> > >> With the potential for my client to have thousands of Vista workstations, > >> and > >> the requirement to be fully FDCC compliant. I'm not sure how any remote > >> vulnerability assessment software can be used without moving to a agent > >> based > >> scanner. > >> > >> This is only my two shiny centavos --John van Meter > >> > >> -- > >> "When the legend becomes fact, print the legend." > >> > >> > >> -------------- Original message ---------------------- > >> From: Paul Davis <[EMAIL PROTECTED]> > >>> Thanks for the update John! Are you good to go now? > >>> > >>> Paul > >>> > >>> [EMAIL PROTECTED] wrote: > >>>> Good Morning Paul and thank you for the information. > >>>> > >>>> > >>>> 1. To turn off UAC completely, open up the Control Panel, select "User > >>> Accounts" and then "Turn User Account Control" to off. This is not > possible, > >>> because the workstation would no longer be FDCC complient with the > >>> failure > of > >>> CCE-4907-2. > >>>> 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the > value > >>> to one. > >> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken > >>> FilterPolicy > >>>> 3. Remote Registry Service, was set to Manual by default on my Windows > Vista > >>> Business workstation , and should have started when something tried to > >>> use > it. > >>>> I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and > >>> FDCC-Settings-major-version-1.0 spread sheet and the remote registry > >>> service > >> is > >>> not defined. Starting the service and rerunning a scan for FDCC > >>> Compliance > >>> doesn't create any new failures. > >>>> I set the remote registry service to automatic and rebooted the > workstation. > >>> When I reran my Nessus scan had access to the registry. > >>>> I still have to verify that the firewall changes don't create FDCC > failures. > >>>> > >>>> Take Care and Have Fun --John > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> "When the legend becomes fact, print the legend." > >>>> > >>>> > >>>> -------------- Original message ---------------------- > >>>> From: Paul Davis <[EMAIL PROTECTED]> > >>>>> John, > >>>>> > >>>>> Have you enabled the "RemoteRegistry" service and followed the other > >>>>> steps > >>>>> delineated in this blog entry? > >>>>> > >>>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html > >>>>> > >>>>> If not, please try it and let me know how it works for you. > >>>>> > >>>>> Paul > >>>>> > >>>>> [EMAIL PROTECTED] wrote: > >>>>>> Hello Everyone, > >>>>>> > >>>>>> I have a questions about Nessuses ability to scan a Vista Workstation, > >> with > >>>>> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The > >>> settings > >>>>> I would like to talk about is under Security Options \ Run all > >> Administrators > >>> in > >>>>> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security > >>> Settings > >>>>> Group Policy . The target workstation is a member of a domain, I ran a > >> remote > >>>>> Nessus scan of my Vista workstation, the scan was ran with a domain > >> account. > >>>>>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus > >>> report > >>>>> that It was able to remotely connect to the Windows registry. The only > FDCC > >>>>> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista > >> Security > >>>>> Settings. > >>>>>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode > >>>>>> to > >> be > >>>>> enabled. This setting restrict admin account so that it doesn't have > >>>>> full > >>> admin > >>>>> rights. > >>>>>> Locally you can run a admin task by right clicking on the program > >> selecting > >>>>> Run as administrators, then selecting allow. > >>>>>> Remotely, the Nessus scan reported that it didn't have access to the > >>> registry > >>>>> and I believe this is due to the User Access Control in Vista > >>>>> restricting > >>> admin > >>>>> priveleges. > >>>>>> Does Tenable have any plans of action to deal with this? > >>>>>> > >>>>>> Thank You for the information --John > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> "When the legend becomes fact, print the legend." > >>>>>> _______________________________________________ > >>>>>> Nessus mailing list > >>>>>> [email protected] > >>>>>> http://mail.nessus.org/mailman/listinfo/nessus > >>>>>> > >>>>> -- > >>>>> Best Regards, > >>>>> > >>>>> Paul Davis > >>>>> Research Engineer > >>>>> Tenable Network Security Inc > >>>>> Phone: 410.872.0555 > >>>>> www.tenablesecurity.com > >>>>> > >>>>> Is your network TENABLE? > >>>> > >>> -- > >>> Best Regards, > >>> > >>> Paul Davis > >>> Research Engineer > >>> Tenable Network Security Inc > >>> Phone: 410.872.0555 > >>> www.tenablesecurity.com > >>> > >>> Is your network TENABLE? > >> _______________________________________________ > >> Nessus mailing list > >> [email protected] > >> http://mail.nessus.org/mailman/listinfo/nessus > > > > _______________________________________________ > > Nessus mailing list > > [email protected] > > http://mail.nessus.org/mailman/listinfo/nessus > > > > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
