Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
nessus and disabled registry/WMI services
Jason.Haar at trimble
Nov 11, 2008, 4:49 PM
Post #1 of 2 (2016 views)
Permalink
Hi there

We recently acquired a company and used Nessus to do an initial
vulnerability assessment - to ensure the site is in good shape. It
failed to discover much at all - even thought it ran with Domain Admin
privs.

Ends up none of their PCs have either WMI or Remote Registry services
enabled - which these days knocks 99% of nessus's checks on the head?

Now I know the Nessus docs say that these services have to be enabled,
but that means AD Policies, and for smaller sites that's actually a bit
difficult ("AD policies? What does 'AD' stand for?").

Could Nessus look at the option of attempting to remotely start those
services if they are not running? Easier said than done I know, but it
never hurts to ask. The reality is that we used to have (>1 year ago)
great success at running Nessus against such sites with nothing but
Domain Admin privs, but these days that doesn't appear to be enough.

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: nessus and disabled registry/WMI services [ In reply to ]
rgula at tenablesecurity
Nov 11, 2008, 6:00 PM
Post #2 of 2 (1918 views)
Permalink
Hi Jason,

Being able to log into a host with full privileges and then launch some
services is an interesting request. We've avoided it because Nessus is
an auditing tool and not a management tool. We did not want to walk down
the path of launching services, making registry changes, installing
patches, .etc.

WMI and registry access is needed for some checks, but patch auditing
uses SMB access. Depending on the check, WMI and registry access might
not be needed - certainly not 99% of the Windows checks.

Was it not possible these computers were up to date?

Were these computers Windows XP and not Windows XP Pro?

Ron Gula
Tenable Network Security


Jason Haar wrote:
> Hi there
>
> We recently acquired a company and used Nessus to do an initial
> vulnerability assessment - to ensure the site is in good shape. It
> failed to discover much at all - even thought it ran with Domain Admin
> privs.
>
> Ends up none of their PCs have either WMI or Remote Registry services
> enabled - which these days knocks 99% of nessus's checks on the head?
>
> Now I know the Nessus docs say that these services have to be enabled,
> but that means AD Policies, and for smaller sites that's actually a bit
> difficult ("AD policies? What does 'AD' stand for?").
>
> Could Nessus look at the option of attempting to remotely start those
> services if they are not running? Easier said than done I know, but it
> never hurts to ask. The reality is that we used to have (>1 year ago)
> great success at running Nessus against such sites with nothing but
> Domain Admin privs, but these days that doesn't appear to be enough.
>
> Thanks
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal