Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. users
minimum set of permissions
raleel at gmail
Feb 11, 2009, 8:24 AM
Post #1 of 3 (9308 views)
Permalink
does anyone have the minimum set of permissions needed to run an
authenticated scan with safe checks enabled on windows machines? I know
there is a lot of registry reading, but I'm guessing not writing. My desire
is is to make a user that can complete a scan, but will pose minimal other
risks.

on unix, it doesn't appear possible to limit the command set much, as most
of it appears to be running through /bin/sh (run a sudo scan and check your
logs)

--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
Re: minimum set of permissions [ In reply to ]
rgula at tenablesecurity
Feb 11, 2009, 10:09 AM
Post #2 of 3 (8814 views)
Permalink
Doug Nordwall wrote:
> does anyone have the minimum set of permissions needed to run an
> authenticated scan with safe checks enabled on windows machines? I know
> there is a lot of registry reading, but I'm guessing not writing. My desire
> is is to make a user that can complete a scan, but will pose minimal other
> risks.
>
> on unix, it doesn't appear possible to limit the command set much, as most
> of it appears to be running through /bin/sh (run a sudo scan and check your
> logs)
>

This would be a great discussion on the new Discussion forum ...

You really need registry read and file read.

With Windows audits, if you limit the checks to just reading registry
settings, you'll prevent many credentialed checks from working which
require file read access. This includes all of the patch audits, most
of the 3rd party vulns (java, itunes, mozilla, .etc) and the audits
which test anti-virus installations.

If you get into the WMI set of checks (you do want Nessus to list
the installed software, disk info, cpu info, .etc) you need to ensure
that access as well.

Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: minimum set of permissions [ In reply to ]
Stewart.James at vu
Feb 11, 2009, 1:57 PM
Post #3 of 3 (8798 views)
Permalink
http://www.nessus.org/documentation/nessus_domain_whitepaper.pdf is
probably a good starting point.



S. J



From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Doug Nordwall
Sent: Thursday, 12 February 2009 3:25 AM
To: Nessus nessus
Subject: minimum set of permissions



does anyone have the minimum set of permissions needed to run an
authenticated scan with safe checks enabled on windows machines? I know
there is a lot of registry reading, but I'm guessing not writing. My
desire is is to make a user that can complete a scan, but will pose
minimal other risks.

on unix, it doesn't appear possible to limit the command set much, as
most of it appears to be running through /bin/sh (run a sudo scan and
check your logs)

--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott
Stone, on MMORPGs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal