Typically this is a Windows-related thing for businesses, but feel free to move this if it's more relevant elsewhere.
So I was wondering what people use for scanning for vulnerabilities when doing IT audits? Qualsys, Nessus, etc. And what methodology?
Here's the setup: We're looking into possibly replacing our existing intrusion detection/prevention vendor because they have a product that says our workstations are perfectly locked down but when we enable file and print sharing, we get tons of vulnerabilities. We'd looked into something like this for patch management of 3rd party applications like Acrobat Reader and JAVA; we have WSUS to take care of MS-related patches (mostly).
All the solutions we looked into required you to enable file and print sharing. However, we disable it because there's no need for workstations to share out anything and there's less a chance that they will be vulnerable to attacks from that vector if we just disable it entirely. That's the hope at least.
Anyway, we've been evaluating various products and some claim to scan workstations as long as they have AD credentials to log onto the local workstations but in the end it either doesn't work or there's some addendum later on saying, "oh yeah, we need F&P sharing enabled to install a local agent, scan, and then uninstall a local agent." I don't even care if we have to permanently install agents for vulnerability scanning, I just don't want to enable file and print sharing to get accurate scan results.
Now at some point in this process we had the epiphany that in all the years since we moved from Netware (and even before since we were using Windows workstations) not a single outside IT auditing/security firm or a state or federal IT audit team has EVER asked for us to enable file and print sharing before they ran vulnerability tests. These are the same entities who have asked for a domain login and to have our firewalls and IDS/IPS services whitelist their attempts to scan and penetrate our network externally.
So you'd think that you can't make the argument that they want a "true" test by not having us change our network for their scan since they already have us do that and have us give them the keys to the kingdom with a login. And many of the vulnerabilities found with the file and print sharing enabled are relevant since a user browsing to a malicious website could exploit those unpatched vulnerabilities. So it seems like that is something both 3rd party firms and fed/state people would care about.
I can't believe that we're the only ones to have come to this point. I mean, I'm cynical enough as it is--is an entire industry based on finding vulerabilities just half-assing it?
That's why I'm askin' y'all. Anyone doing things in a way that would make sense to the scenario I laid out? Anyone in auditing firms or government entities that could speak to these concerns? I believe the closest we've gotten for an answer is "well, do whatever you think your policy requires you to do in this situation." That was from a government person and really isn't much direction.