OK, I have been asked to write a scan that, with proper credentials,
can determine if the Windows XP Pro SP2 personal firewall is enabled
or not. It sounds pretty simple. Check access, check the Windows
version, check for the Service (SharedAccess) and then check a single
registry entry (SYSTEM\CurrentControlSet\Services\SharedAccess
\Parameters\FirewallPolicy\StandardProfile\EnableFirewall). If it is
a 1, it is enabled, otherwise it is a 0 and not enabled (as far as I
can tell).
I already enabled remote administration and allowing for local users
to log in.
So if the user I am using to log in with is not an Admin I always get
0. If I use an Admin account I get, nothing for that reg item. I
can connect from another windows box with regedit and the same
account and browse to the reg entry, but I can't seem to get it with
nessus.
My google-foo is failing me. Any ideas? I seem to remember reading
of restricted registry access, but everything I can find about using
winreg and the local security policy editor seem to not have any
effect on me getting a return for the key I want.
Thanks
Here is the basic (stripped down) idea of what I am trying.
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\";
item = "CurrentVersion";
ver = string(registry_get_sz(key:key, item:item));
# if it is XP
if (ver == '5.1') {
# if the service is running
if("SharedAccess" >< services ) {
key = "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\";
item = "EnableFirewall";
enabled = string(registry_get_sz(key:key, item:item));
# if the firewall is enabled
if (int(enabled) != 1) {
# report not enabled
}
} else {
# report service not running
}
}
can determine if the Windows XP Pro SP2 personal firewall is enabled
or not. It sounds pretty simple. Check access, check the Windows
version, check for the Service (SharedAccess) and then check a single
registry entry (SYSTEM\CurrentControlSet\Services\SharedAccess
\Parameters\FirewallPolicy\StandardProfile\EnableFirewall). If it is
a 1, it is enabled, otherwise it is a 0 and not enabled (as far as I
can tell).
I already enabled remote administration and allowing for local users
to log in.
So if the user I am using to log in with is not an Admin I always get
0. If I use an Admin account I get, nothing for that reg item. I
can connect from another windows box with regedit and the same
account and browse to the reg entry, but I can't seem to get it with
nessus.
My google-foo is failing me. Any ideas? I seem to remember reading
of restricted registry access, but everything I can find about using
winreg and the local security policy editor seem to not have any
effect on me getting a return for the key I want.
Thanks
Here is the basic (stripped down) idea of what I am trying.
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\";
item = "CurrentVersion";
ver = string(registry_get_sz(key:key, item:item));
# if it is XP
if (ver == '5.1') {
# if the service is running
if("SharedAccess" >< services ) {
key = "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\";
item = "EnableFirewall";
enabled = string(registry_get_sz(key:key, item:item));
# if the firewall is enabled
if (int(enabled) != 1) {
# report not enabled
}
} else {
# report service not running
}
}