Aphasia wrote:Most of the scanning solutions I've seen, I've used Nessus a fair bit, we also looked at Qualys and some other tools, and most can usually do either an authenticated (blind) scan according to the latest definitions, or do an scan using credentials where they actually look at things from within. The problem is that depending on your infrastructure, network segmentation, endpoint security / local firewalls these answers might or might not constitute a vulnerability and a risk, which is why you need people that can pretty much interpretate the raw info into something useful.
But I have never heard of them needing file-print sharing enabled since they usually use WMI or similar when using authenticated scans for checking up on the local versions according to either signatures or known problems associated with those. As for patch management or other agents, I don't have a clue. But it sounds darn odd. And if you have the ability to via patch management permanently install a local agent, then it definitely shouldn't need any file/print sharing enabled.
Aphasia wrote:Then you also have the problem, what are you actually doing an audit for. The premises for the test pretty much tells you how much you want to include/exclude and part of the methodology you might want to use. Infrastructure as well as hosts, external/internal, blind scan or various inside scenarios, how much pre-existing info are you allowed, will it be a known or unknown test for operations. Is it a clean slate health check or are you actually auditing towards a pre-existing baseline or policy.
If it's actually looking at a full blind test, or "true" test, then allowing firewall would invalidate that test pretty quickly. If you are looking to secure workstations and servers, you usually don't want to even try to include infrastructure in that test, and thus whitelist and take infrastructure out of the equation in it's entirety, as much as they can anyway. The product is that it could otherwise be a decent chance that it could leave servers open with vulnerabilities because the current rule set doesn't allow the tool to do it's job, and later on somebody makes a change to the rule set and boom, server network infected.
Scrotos wrote:Basically we just want to be as secure as possible in the limits that the C-level people give us, i.e. we'd love to have a whitelist for allowed websites to go to for work but that was a non-starter for all the blokes who want to go to ESPN or NFL.COM. We thought getting a clean bill of health with our monthly scans and 3rd party scans meant we were doing well but one day we had a machine with file and print sharing on and it popped up a few hundred vulnerabilities where before there were none.
Scrotos wrote:So you're saying that's why the firewall is set to let the 3rd party people do their tests. Sure, ok. But by that token the workstations should be under the same "open" policy too. I don't see that as a good idea for our overall network security in general. And it wouldn't be an issue if Nessus or Qualsys or the other products we looked at actually gave the proper results without file and printing enabled.
You're far more familiar with Nessus than we are. Have you ever tried running a test with a machine both with file and print sharing enabled and with it disabled? We found differences in the results. And hell, the instructions say to enable it anyway.
drsauced wrote:Or if you're a little sadistic, give them a modem they can dial into.
Users browsing this forum: UberGerbil and 3 guests