Mailing List Archive

Nessus, Vista User Access Control and FDCC
Hello Everyone,

I have a questions about Nessuses ability to scan a Vista Workstation, with the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The settings I would like to talk about is under Security Options \ Run all Administrators in Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security Settings Group Policy . The target workstation is a member of a domain, I ran a remote Nessus scan of my Vista workstation, the scan was ran with a domain account.

WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus report that It was able to remotely connect to the Windows registry. The only FDCC Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista Security Settings.

CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to be enabled. This setting restrict admin account so that it doesn't have full admin rights.

Locally you can run a admin task by right clicking on the program selecting Run as administrators, then selecting allow.

Remotely, the Nessus scan reported that it didn't have access to the registry and I believe this is due to the User Access Control in Vista restricting admin priveleges.

Does Tenable have any plans of action to deal with this?

Thank You for the information --John


--
"When the legend becomes fact, print the legend."
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
John,

Have you enabled the "RemoteRegistry" service and followed the other steps delineated in this blog entry?

http://blog.tenablesecurity.com/2008/02/testing-windows.html

If not, please try it and let me know how it works for you.

Paul

jfvanmeter@comcast.net wrote:
> Hello Everyone,
>
> I have a questions about Nessuses ability to scan a Vista Workstation, with the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The settings I would like to talk about is under Security Options \ Run all Administrators in Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security Settings Group Policy . The target workstation is a member of a domain, I ran a remote Nessus scan of my Vista workstation, the scan was ran with a domain account.
>
> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus report that It was able to remotely connect to the Windows registry. The only FDCC Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista Security Settings.
>
> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to be enabled. This setting restrict admin account so that it doesn't have full admin rights.
>
> Locally you can run a admin task by right clicking on the program selecting Run as administrators, then selecting allow.
>
> Remotely, the Nessus scan reported that it didn't have access to the registry and I believe this is due to the User Access Control in Vista restricting admin priveleges.
>
> Does Tenable have any plans of action to deal with this?
>
> Thank You for the information --John
>
>
> --
> "When the legend becomes fact, print the legend."
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

--
Best Regards,

Paul Davis
Research Engineer
Tenable Network Security Inc
Phone: 410.872.0555
www.tenablesecurity.com

Is your network TENABLE?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
Good Morning Paul and thank you for the information.


1. To turn off UAC completely, open up the Control Panel, select "User Accounts" and then "Turn User Account Control" to off. This is not possible, because the workstation would no longer be FDCC complient with the failure of CCE-4907-2.

2. I created the LocalAccountTokenFilterPolicy as a Dword and set the value to one.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy

3. Remote Registry Service, was set to Manual by default on my Windows Vista Business workstation , and should have started when something tried to use it.

I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and FDCC-Settings-major-version-1.0 spread sheet and the remote registry service is not defined. Starting the service and rerunning a scan for FDCC Compliance doesn't create any new failures.

I set the remote registry service to automatic and rebooted the workstation. When I reran my Nessus scan had access to the registry.

I still have to verify that the firewall changes don't create FDCC failures.

Take Care and Have Fun --John





--
"When the legend becomes fact, print the legend."


-------------- Original message ----------------------
From: Paul Davis <pdavis@tenablesecurity.com>
> John,
>
> Have you enabled the "RemoteRegistry" service and followed the other steps
> delineated in this blog entry?
>
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> If not, please try it and let me know how it works for you.
>
> Paul
>
> jfvanmeter@comcast.net wrote:
> > Hello Everyone,
> >
> > I have a questions about Nessuses ability to scan a Vista Workstation, with
> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The settings
> I would like to talk about is under Security Options \ Run all Administrators in
> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security Settings
> Group Policy . The target workstation is a member of a domain, I ran a remote
> Nessus scan of my Vista workstation, the scan was ran with a domain account.
> >
> > WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus report
> that It was able to remotely connect to the Windows registry. The only FDCC
> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista Security
> Settings.
> >
> > CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to be
> enabled. This setting restrict admin account so that it doesn't have full admin
> rights.
> >
> > Locally you can run a admin task by right clicking on the program selecting
> Run as administrators, then selecting allow.
> >
> > Remotely, the Nessus scan reported that it didn't have access to the registry
> and I believe this is due to the User Access Control in Vista restricting admin
> priveleges.
> >
> > Does Tenable have any plans of action to deal with this?
> >
> > Thank You for the information --John
> >
> >
> > --
> > "When the legend becomes fact, print the legend."
> > _______________________________________________
> > Nessus mailing list
> > Nessus@list.nessus.org
> > http://mail.nessus.org/mailman/listinfo/nessus
> >
>
> --
> Best Regards,
>
> Paul Davis
> Research Engineer
> Tenable Network Security Inc
> Phone: 410.872.0555
> www.tenablesecurity.com
>
> Is your network TENABLE?

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
Good Morning everyone, The third step in the blog states "Prohibit use of Internet connection firewall on your DNS domain. This setting should either be "Disabled" or "Not Configured". http://blog.tenablesecurity.com/2008/02/testing-windows.html

The problem is FDCC Requires the setting to be Enabled, changing the setting would cause the workstation to fails FDCC com pliancy because it would fail the check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm


With the potential for my client to have thousands of Vista workstations, and the requirement to be fully FDCC compliant. I'm not sure how any remote vulnerability assessment software can be used without moving to a agent based scanner.

This is only my two shiny centavos --John van Meter

--
"When the legend becomes fact, print the legend."


-------------- Original message ----------------------
From: Paul Davis <pdavis@tenablesecurity.com>
> Thanks for the update John! Are you good to go now?
>
> Paul
>
> jfvanmeter@comcast.net wrote:
> > Good Morning Paul and thank you for the information.
> >
> >
> > 1. To turn off UAC completely, open up the Control Panel, select "User
> Accounts" and then "Turn User Account Control" to off. This is not possible,
> because the workstation would no longer be FDCC complient with the failure of
> CCE-4907-2.
> >
> > 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the value
> to one.
> >
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken
> FilterPolicy
> >
> > 3. Remote Registry Service, was set to Manual by default on my Windows Vista
> Business workstation , and should have started when something tried to use it.
> >
> > I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and
> FDCC-Settings-major-version-1.0 spread sheet and the remote registry service is
> not defined. Starting the service and rerunning a scan for FDCC Compliance
> doesn't create any new failures.
> >
> > I set the remote registry service to automatic and rebooted the workstation.
> When I reran my Nessus scan had access to the registry.
> >
> > I still have to verify that the firewall changes don't create FDCC failures.
> >
> > Take Care and Have Fun --John
> >
> >
> >
> >
> >
> > --
> > "When the legend becomes fact, print the legend."
> >
> >
> > -------------- Original message ----------------------
> > From: Paul Davis <pdavis@tenablesecurity.com>
> >> John,
> >>
> >> Have you enabled the "RemoteRegistry" service and followed the other steps
> >> delineated in this blog entry?
> >>
> >> http://blog.tenablesecurity.com/2008/02/testing-windows.html
> >>
> >> If not, please try it and let me know how it works for you.
> >>
> >> Paul
> >>
> >> jfvanmeter@comcast.net wrote:
> >>> Hello Everyone,
> >>>
> >>> I have a questions about Nessuses ability to scan a Vista Workstation, with
> >> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The
> settings
> >> I would like to talk about is under Security Options \ Run all Administrators
> in
> >> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security
> Settings
> >> Group Policy . The target workstation is a member of a domain, I ran a remote
> >> Nessus scan of my Vista workstation, the scan was ran with a domain account.
> >>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus
> report
> >> that It was able to remotely connect to the Windows registry. The only FDCC
> >> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista Security
> >> Settings.
> >>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to be
> >> enabled. This setting restrict admin account so that it doesn't have full
> admin
> >> rights.
> >>> Locally you can run a admin task by right clicking on the program selecting
> >> Run as administrators, then selecting allow.
> >>> Remotely, the Nessus scan reported that it didn't have access to the
> registry
> >> and I believe this is due to the User Access Control in Vista restricting
> admin
> >> priveleges.
> >>> Does Tenable have any plans of action to deal with this?
> >>>
> >>> Thank You for the information --John
> >>>
> >>>
> >>> --
> >>> "When the legend becomes fact, print the legend."
> >>> _______________________________________________
> >>> Nessus mailing list
> >>> Nessus@list.nessus.org
> >>> http://mail.nessus.org/mailman/listinfo/nessus
> >>>
> >> --
> >> Best Regards,
> >>
> >> Paul Davis
> >> Research Engineer
> >> Tenable Network Security Inc
> >> Phone: 410.872.0555
> >> www.tenablesecurity.com
> >>
> >> Is your network TENABLE?
> >
> >
>
> --
> Best Regards,
>
> Paul Davis
> Research Engineer
> Tenable Network Security Inc
> Phone: 410.872.0555
> www.tenablesecurity.com
>
> Is your network TENABLE?

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
I was hoping to hear something from Tenable on the issue of scanning a FDCC Compliant Vista workstation. I've supported and recommended Nessus over the years, and I would be disappointed if I would have to stop using it.

Take Care --John

--
"When the legend becomes fact, print the legend."


-------------- Original message ----------------------
From: jfvanmeter@comcast.net
> Good Morning everyone, The third step in the blog states "Prohibit use of
> Internet connection firewall on your DNS domain. This setting should either be
> "Disabled" or "Not Configured".
> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>
> The problem is FDCC Requires the setting to be Enabled, changing the setting
> would cause the workstation to fails FDCC com pliancy because it would fail the
> check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm
>
>
> With the potential for my client to have thousands of Vista workstations, and
> the requirement to be fully FDCC compliant. I'm not sure how any remote
> vulnerability assessment software can be used without moving to a agent based
> scanner.
>
> This is only my two shiny centavos --John van Meter
>
> --
> "When the legend becomes fact, print the legend."
>
>
> -------------- Original message ----------------------
> From: Paul Davis <pdavis@tenablesecurity.com>
> > Thanks for the update John! Are you good to go now?
> >
> > Paul
> >
> > jfvanmeter@comcast.net wrote:
> > > Good Morning Paul and thank you for the information.
> > >
> > >
> > > 1. To turn off UAC completely, open up the Control Panel, select "User
> > Accounts" and then "Turn User Account Control" to off. This is not possible,
> > because the workstation would no longer be FDCC complient with the failure of
> > CCE-4907-2.
> > >
> > > 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the value
> > to one.
> > >
> >
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken
> > FilterPolicy
> > >
> > > 3. Remote Registry Service, was set to Manual by default on my Windows Vista
> > Business workstation , and should have started when something tried to use it.
> > >
> > > I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and
> > FDCC-Settings-major-version-1.0 spread sheet and the remote registry service
> is
> > not defined. Starting the service and rerunning a scan for FDCC Compliance
> > doesn't create any new failures.
> > >
> > > I set the remote registry service to automatic and rebooted the workstation.
> > When I reran my Nessus scan had access to the registry.
> > >
> > > I still have to verify that the firewall changes don't create FDCC failures.
> > >
> > > Take Care and Have Fun --John
> > >
> > >
> > >
> > >
> > >
> > > --
> > > "When the legend becomes fact, print the legend."
> > >
> > >
> > > -------------- Original message ----------------------
> > > From: Paul Davis <pdavis@tenablesecurity.com>
> > >> John,
> > >>
> > >> Have you enabled the "RemoteRegistry" service and followed the other steps
> > >> delineated in this blog entry?
> > >>
> > >> http://blog.tenablesecurity.com/2008/02/testing-windows.html
> > >>
> > >> If not, please try it and let me know how it works for you.
> > >>
> > >> Paul
> > >>
> > >> jfvanmeter@comcast.net wrote:
> > >>> Hello Everyone,
> > >>>
> > >>> I have a questions about Nessuses ability to scan a Vista Workstation,
> with
> > >> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The
> > settings
> > >> I would like to talk about is under Security Options \ Run all
> Administrators
> > in
> > >> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security
> > Settings
> > >> Group Policy . The target workstation is a member of a domain, I ran a
> remote
> > >> Nessus scan of my Vista workstation, the scan was ran with a domain
> account.
> > >>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus
> > report
> > >> that It was able to remotely connect to the Windows registry. The only FDCC
> > >> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista
> Security
> > >> Settings.
> > >>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to
> be
> > >> enabled. This setting restrict admin account so that it doesn't have full
> > admin
> > >> rights.
> > >>> Locally you can run a admin task by right clicking on the program
> selecting
> > >> Run as administrators, then selecting allow.
> > >>> Remotely, the Nessus scan reported that it didn't have access to the
> > registry
> > >> and I believe this is due to the User Access Control in Vista restricting
> > admin
> > >> priveleges.
> > >>> Does Tenable have any plans of action to deal with this?
> > >>>
> > >>> Thank You for the information --John
> > >>>
> > >>>
> > >>> --
> > >>> "When the legend becomes fact, print the legend."
> > >>> _______________________________________________
> > >>> Nessus mailing list
> > >>> Nessus@list.nessus.org
> > >>> http://mail.nessus.org/mailman/listinfo/nessus
> > >>>
> > >> --
> > >> Best Regards,
> > >>
> > >> Paul Davis
> > >> Research Engineer
> > >> Tenable Network Security Inc
> > >> Phone: 410.872.0555
> > >> www.tenablesecurity.com
> > >>
> > >> Is your network TENABLE?
> > >
> > >
> >
> > --
> > Best Regards,
> >
> > Paul Davis
> > Research Engineer
> > Tenable Network Security Inc
> > Phone: 410.872.0555
> > www.tenablesecurity.com
> >
> > Is your network TENABLE?
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
Hi John,

Nessus and the Security Center have been certified by NIST
to perform SCAP audits of Vista and XP:

http://nvd.nist.gov/validation_securitycenter_docs.html

It does not get much more official than that.

We've also blogged extensively on how you can configure XP
and Vista workstations to be audited for FDCC compliance.

The FDCC certification process clearly states that you
can make exceptions to the FDCC policy, as long as they are
justified. NIST allows organizations to make exceptions for
tools and software which require deviations from the
standard, as long as there is documentation or justification
for it.

Also, if you think deploying an agent based solution won't
have issues with the Vista firewall, let alone working within
the Vista security framwork, just because it is on the host,
you should do more testing. You will still likely have to
end up making a justification for a deviation to the FDCC
requirements.

Ron Gula
Tenable Network Security






jfvanmeter@comcast.net wrote:
> I was hoping to hear something from Tenable on the issue of scanning a FDCC Compliant Vista workstation. I've supported and recommended Nessus over the years, and I would be disappointed if I would have to stop using it.
>
> Take Care --John
>
> --
> "When the legend becomes fact, print the legend."
>
>
> -------------- Original message ----------------------
> From: jfvanmeter@comcast.net
>> Good Morning everyone, The third step in the blog states "Prohibit use of
>> Internet connection firewall on your DNS domain. This setting should either be
>> "Disabled" or "Not Configured".
>> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>>
>> The problem is FDCC Requires the setting to be Enabled, changing the setting
>> would cause the workstation to fails FDCC com pliancy because it would fail the
>> check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm
>>
>>
>> With the potential for my client to have thousands of Vista workstations, and
>> the requirement to be fully FDCC compliant. I'm not sure how any remote
>> vulnerability assessment software can be used without moving to a agent based
>> scanner.
>>
>> This is only my two shiny centavos --John van Meter
>>
>> --
>> "When the legend becomes fact, print the legend."
>>
>>
>> -------------- Original message ----------------------
>> From: Paul Davis <pdavis@tenablesecurity.com>
>>> Thanks for the update John! Are you good to go now?
>>>
>>> Paul
>>>
>>> jfvanmeter@comcast.net wrote:
>>>> Good Morning Paul and thank you for the information.
>>>>
>>>>
>>>> 1. To turn off UAC completely, open up the Control Panel, select "User
>>> Accounts" and then "Turn User Account Control" to off. This is not possible,
>>> because the workstation would no longer be FDCC complient with the failure of
>>> CCE-4907-2.
>>>> 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the value
>>> to one.
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken
>>> FilterPolicy
>>>> 3. Remote Registry Service, was set to Manual by default on my Windows Vista
>>> Business workstation , and should have started when something tried to use it.
>>>> I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and
>>> FDCC-Settings-major-version-1.0 spread sheet and the remote registry service
>> is
>>> not defined. Starting the service and rerunning a scan for FDCC Compliance
>>> doesn't create any new failures.
>>>> I set the remote registry service to automatic and rebooted the workstation.
>>> When I reran my Nessus scan had access to the registry.
>>>> I still have to verify that the firewall changes don't create FDCC failures.
>>>>
>>>> Take Care and Have Fun --John
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> "When the legend becomes fact, print the legend."
>>>>
>>>>
>>>> -------------- Original message ----------------------
>>>> From: Paul Davis <pdavis@tenablesecurity.com>
>>>>> John,
>>>>>
>>>>> Have you enabled the "RemoteRegistry" service and followed the other steps
>>>>> delineated in this blog entry?
>>>>>
>>>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html
>>>>>
>>>>> If not, please try it and let me know how it works for you.
>>>>>
>>>>> Paul
>>>>>
>>>>> jfvanmeter@comcast.net wrote:
>>>>>> Hello Everyone,
>>>>>>
>>>>>> I have a questions about Nessuses ability to scan a Vista Workstation,
>> with
>>>>> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The
>>> settings
>>>>> I would like to talk about is under Security Options \ Run all
>> Administrators
>>> in
>>>>> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security
>>> Settings
>>>>> Group Policy . The target workstation is a member of a domain, I ran a
>> remote
>>>>> Nessus scan of my Vista workstation, the scan was ran with a domain
>> account.
>>>>>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus
>>> report
>>>>> that It was able to remotely connect to the Windows registry. The only FDCC
>>>>> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista
>> Security
>>>>> Settings.
>>>>>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to
>> be
>>>>> enabled. This setting restrict admin account so that it doesn't have full
>>> admin
>>>>> rights.
>>>>>> Locally you can run a admin task by right clicking on the program
>> selecting
>>>>> Run as administrators, then selecting allow.
>>>>>> Remotely, the Nessus scan reported that it didn't have access to the
>>> registry
>>>>> and I believe this is due to the User Access Control in Vista restricting
>>> admin
>>>>> priveleges.
>>>>>> Does Tenable have any plans of action to deal with this?
>>>>>>
>>>>>> Thank You for the information --John
>>>>>>
>>>>>>
>>>>>> --
>>>>>> "When the legend becomes fact, print the legend."
>>>>>> _______________________________________________
>>>>>> Nessus mailing list
>>>>>> Nessus@list.nessus.org
>>>>>> http://mail.nessus.org/mailman/listinfo/nessus
>>>>>>
>>>>> --
>>>>> Best Regards,
>>>>>
>>>>> Paul Davis
>>>>> Research Engineer
>>>>> Tenable Network Security Inc
>>>>> Phone: 410.872.0555
>>>>> www.tenablesecurity.com
>>>>>
>>>>> Is your network TENABLE?
>>>>
>>> --
>>> Best Regards,
>>>
>>> Paul Davis
>>> Research Engineer
>>> Tenable Network Security Inc
>>> Phone: 410.872.0555
>>> www.tenablesecurity.com
>>>
>>> Is your network TENABLE?
>> _______________________________________________
>> Nessus mailing list
>> Nessus@list.nessus.org
>> http://mail.nessus.org/mailman/listinfo/nessus
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
Thanks for the update Ron, the last I heard was OMB required all workstations that process government information to be FDCC Compliant.

To be FDCC Compliant the workstation had to be configured with all of the settings, if a single setting is changed the workstation is not FDCC compleant.

I haven't heard of a deviation policy form OMB being released, so to the best of my knowledge deviation from the FDCC settings are not allowed.

On XP if the connection a outbound connection the corrosponding inbound connection is allow. On Vista you might have to configure the inbound section of the firewall to work.
--
"When the legend becomes fact, print the legend."


-------------- Original message ----------------------
From: Ron Gula <rgula@tenablesecurity.com>
> Hi John,
>
> Nessus and the Security Center have been certified by NIST
> to perform SCAP audits of Vista and XP:
>
> http://nvd.nist.gov/validation_securitycenter_docs.html
>
> It does not get much more official than that.
>
> We've also blogged extensively on how you can configure XP
> and Vista workstations to be audited for FDCC compliance.
>
> The FDCC certification process clearly states that you
> can make exceptions to the FDCC policy, as long as they are
> justified. NIST allows organizations to make exceptions for
> tools and software which require deviations from the
> standard, as long as there is documentation or justification
> for it.
>
> Also, if you think deploying an agent based solution won't
> have issues with the Vista firewall, let alone working within
> the Vista security framwork, just because it is on the host,
> you should do more testing. You will still likely have to
> end up making a justification for a deviation to the FDCC
> requirements.
>
> Ron Gula
> Tenable Network Security
>
>
>
>
>
>
> jfvanmeter@comcast.net wrote:
> > I was hoping to hear something from Tenable on the issue of scanning a FDCC
> Compliant Vista workstation. I've supported and recommended Nessus over the
> years, and I would be disappointed if I would have to stop using it.
> >
> > Take Care --John
> >
> > --
> > "When the legend becomes fact, print the legend."
> >
> >
> > -------------- Original message ----------------------
> > From: jfvanmeter@comcast.net
> >> Good Morning everyone, The third step in the blog states "Prohibit use of
> >> Internet connection firewall on your DNS domain. This setting should either
> be
> >> "Disabled" or "Not Configured".
> >> The
> >>
> >> The problem is FDCC Requires the setting to be Enabled, changing the setting
> >> would cause the workstation to fails FDCC com pliancy because it would fail
> the
> >> check for CCE-241 http://nvd.nist.gov/fdcc/download_fdcc.cfm
> >>
> >>
> >> With the potential for my client to have thousands of Vista workstations, and
> >> the requirement to be fully FDCC compliant. I'm not sure how any remote
> >> vulnerability assessment software can be used without moving to a agent based
> >> scanner.
> >>
> >> This is only my two shiny centavos --John van Meter
> >>
> >> --
> >> "When the legend becomes fact, print the legend."
> >>
> >>
> >> -------------- Original message ----------------------
> >> From: Paul Davis <pdavis@tenablesecurity.com>
> >>> Thanks for the update John! Are you good to go now?
> >>>
> >>> Paul
> >>>
> >>> jfvanmeter@comcast.net wrote:
> >>>> Good Morning Paul and thank you for the information.
> >>>>
> >>>>
> >>>> 1. To turn off UAC completely, open up the Control Panel, select "User
> >>> Accounts" and then "Turn User Account Control" to off. This is not
> possible,
> >>> because the workstation would no longer be FDCC complient with the failure
> of
> >>> CCE-4907-2.
> >>>> 2. I created the LocalAccountTokenFilterPolicy as a Dword and set the
> value
> >>> to one.
> >>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountToken
> >>> FilterPolicy
> >>>> 3. Remote Registry Service, was set to Manual by default on my Windows
> Vista
> >>> Business workstation , and should have started when something tried to use
> it.
> >>>> I looked at both the FDCC V1.0 Q3 2008 Group Policies for Vista and
> >>> FDCC-Settings-major-version-1.0 spread sheet and the remote registry service
> >> is
> >>> not defined. Starting the service and rerunning a scan for FDCC Compliance
> >>> doesn't create any new failures.
> >>>> I set the remote registry service to automatic and rebooted the
> workstation.
> >>> When I reran my Nessus scan had access to the registry.
> >>>> I still have to verify that the firewall changes don't create FDCC
> failures.
> >>>>
> >>>> Take Care and Have Fun --John
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> "When the legend becomes fact, print the legend."
> >>>>
> >>>>
> >>>> -------------- Original message ----------------------
> >>>> From: Paul Davis <pdavis@tenablesecurity.com>
> >>>>> John,
> >>>>>
> >>>>> Have you enabled the "RemoteRegistry" service and followed the other steps
> >>>>> delineated in this blog entry?
> >>>>>
> >>>>> http://blog.tenablesecurity.com/2008/02/testing-windows.html
> >>>>>
> >>>>> If not, please try it and let me know how it works for you.
> >>>>>
> >>>>> Paul
> >>>>>
> >>>>> jfvanmeter@comcast.net wrote:
> >>>>>> Hello Everyone,
> >>>>>>
> >>>>>> I have a questions about Nessuses ability to scan a Vista Workstation,
> >> with
> >>>>> the FDCC V1.0 Q3 2008 Vista Security Settings Group Policy applied. The
> >>> settings
> >>>>> I would like to talk about is under Security Options \ Run all
> >> Administrators
> >>> in
> >>>>> Admin Approvel Mode that is enabled in FDCC V1.0 Q3 2008 Vista Security
> >>> Settings
> >>>>> Group Policy . The target workstation is a member of a domain, I ran a
> >> remote
> >>>>> Nessus scan of my Vista workstation, the scan was ran with a domain
> >> account.
> >>>>>> WIth the Run all Administrators in Admin Approvel Mode enabled, Nessus
> >>> report
> >>>>> that It was able to remotely connect to the Windows registry. The only
> FDCC
> >>>>> Group Policy being applied to the target is FDCC V1.0 Q3 2008 Vista
> >> Security
> >>>>> Settings.
> >>>>>> CCE-4907-2 requests that Run all Administrators in Admin Approvel Mode to
> >> be
> >>>>> enabled. This setting restrict admin account so that it doesn't have full
> >>> admin
> >>>>> rights.
> >>>>>> Locally you can run a admin task by right clicking on the program
> >> selecting
> >>>>> Run as administrators, then selecting allow.
> >>>>>> Remotely, the Nessus scan reported that it didn't have access to the
> >>> registry
> >>>>> and I believe this is due to the User Access Control in Vista restricting
> >>> admin
> >>>>> priveleges.
> >>>>>> Does Tenable have any plans of action to deal with this?
> >>>>>>
> >>>>>> Thank You for the information --John
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> "When the legend becomes fact, print the legend."
> >>>>>> _______________________________________________
> >>>>>> Nessus mailing list
> >>>>>> Nessus@list.nessus.org
> >>>>>> http://mail.nessus.org/mailman/listinfo/nessus
> >>>>>>
> >>>>> --
> >>>>> Best Regards,
> >>>>>
> >>>>> Paul Davis
> >>>>> Research Engineer
> >>>>> Tenable Network Security Inc
> >>>>> Phone: 410.872.0555
> >>>>> www.tenablesecurity.com
> >>>>>
> >>>>> Is your network TENABLE?
> >>>>
> >>> --
> >>> Best Regards,
> >>>
> >>> Paul Davis
> >>> Research Engineer
> >>> Tenable Network Security Inc
> >>> Phone: 410.872.0555
> >>> www.tenablesecurity.com
> >>>
> >>> Is your network TENABLE?
> >> _______________________________________________
> >> Nessus mailing list
> >> Nessus@list.nessus.org
> >> http://mail.nessus.org/mailman/listinfo/nessus
> >
> > _______________________________________________
> > Nessus mailing list
> > Nessus@list.nessus.org
> > http://mail.nessus.org/mailman/listinfo/nessus
> >
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
On Thu, August 21, 2008 9:19 am, jfvanmeter@comcast.net wrote:
> Thanks for the update Ron, the last I heard was OMB required all
> workstations that process government information to be FDCC Compliant.

All government owned systems, regardless of use.

> To be FDCC Compliant the workstation had to be configured with all of the
> settings, if a single setting is changed the workstation is not FDCC
> compleant.
>
> I haven't heard of a deviation policy form OMB being released, so to
> the best of my knowledge deviation from the FDCC settings are not
> allowed.

OMB is the mandate, NIST (FDCC) is the policy. I've never seen an audit or
C&A package that didn't make gratuitous use of the "N/A" loophole. Like
airport security, such "regulations" are pure theatre and is the biggest
reason why I jumped that ship and became a filthy contractor.

Tangent example: Trusted Internet Connections (TIC)

Good luck in your new field! Burnout comes fast :-)

Randy


--------
top posting is evil


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: Nessus, Vista User Access Control and FDCC [ In reply to ]
Hello Randal, my main focus this year is FDCC, FDCC Deployment, and Application Testing The reason I used the statement "workstations that process government information to be FDCC Compliant", is I had a third party vendor contact me and ask if there corp laptops when connectioned to a government network and processing information had to be FDCC compliant. The direction I got from NIST is "OMB wants to see FDCC applied to nearly any PC that processes government data."
I know we can want in one hand and ..... anyway we all know that one.

Hopefully the 2008 Security Automation Conference and Workshop (4th Annual) in Sept will bring some light to the subject of FDCC and deviations.

Take Care and Have Fun --John


-------------- Original message ----------------------
From: "Randal T. Rioux" <randy@procyonlabs.com>
> On Thu, August 21, 2008 9:19 am, jfvanmeter@comcast.net wrote:
> > Thanks for the update Ron, the last I heard was OMB required all
> > workstations that process government information to be FDCC Compliant.
>
> All government owned systems, regardless of use.
>
> > To be FDCC Compliant the workstation had to be configured with all of the
> > settings, if a single setting is changed the workstation is not FDCC
> > compleant.
> >
> > I haven't heard of a deviation policy form OMB being released, so to
> > the best of my knowledge deviation from the FDCC settings are not
> > allowed.
>
> OMB is the mandate, NIST (FDCC) is the policy. I've never seen an audit or
> C&A package that didn't make gratuitous use of the "N/A" loophole. Like
> airport security, such "regulations" are pure theatre and is the biggest
> reason why I jumped that ship and became a filthy contractor.



> Tangent example: Trusted Internet Connections (TIC)
>
> Good luck in your new field! Burnout comes fast :-)




> Randy
>
>
> --------
> top posting is evil
>
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus