From: H Carvey (keydet89@yahoo.com)
Date: Sun Feb 29 2004 - 07:21:33 EST
>After reviewing some scan results and finding a number of false positives from nessus (primarly in XP hosts), I began to become a
>bit more concerned than I already was.
>This is in no way reflecting upon nessus's ability to find vulnerabilities and I truely believe all scanners have these issues.
You may be right.
>The question is, what does everyone else do about this?
Back in '99, while working for a security consulting company, I came up with the idea to develop a tool that would retrieve and store raw data from systems, rather than returning simply the "decision".
We'd run into issues with ISS's Internet Scanner. One in particular was the reporting of the AutoAdminLogon Registry value. According to MS, this was only an issue if the value was set to "1". In this instance, the Admin password would appear in the Registry in plain text (doh!). Scanning one particular domain, ISS "found" 22 systems w/ AutoAdminLogon set, but only one system had the value of "1"...the others had the value set to "0", no password, and when rebooted would not automatically log into the admin account. In this case, the customer was fully aware of the situation...had we gone with the ISS report, w/o verifying it in any way, we'd lost a great deal of credibility. The tool I wrote pulled the data from the Registry and we were able to see what the real values were and respond accordingly.
>So what else can we do? Check the registry manually, this is an option but very time consuming, does
>anyone actually do this???
Perl provides the necessary functionality to retrieve this information remotely, as long as you have the appropriate permissions. What we ended up doing was including, in the contract, the requirement for temporary domain admin accounts for the assessment. In addition to providing us with the necessary level of access, this also allowed us to see first-hand what procedures were used when creating (and removing) accounts.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT