Doug Nordwall wrote: > does anyone have the minimum set of permissions needed to run an > authenticated scan with safe checks enabled on windows machines? I know > there is a lot of registry reading, but I'm guessing not writing. My desire > is is to make a user that can complete a scan, but will pose minimal other > risks. > > on unix, it doesn't appear possible to limit the command set much, as most > of it appears to be running through /bin/sh (run a sudo scan and check your > logs) >
This would be a great discussion on the new Discussion forum ... You really need registry read and file read. With Windows audits, if you limit the checks to just reading registry settings, you'll prevent many credentialed checks from working which require file read access. This includes all of the patch audits, most of the 3rd party vulns (java, itunes, mozilla, .etc) and the audits which test anti-virus installations. If you get into the WMI set of checks (you do want Nessus to list the installed software, disk info, cpu info, .etc) you need to ensure that access as well. Ron Gula Tenable Network Security _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
