Tuesday, January 18, 2011

Bandolier Baselines: Windows 7 and 2008 Server

The use of a vulnerability scanner in assessing the overall security posture of an integrated ICS is critical no more than ever. A common misconception is that these scanners will not detect ICS-related vulnerabilities like those used on the recent Stuxnet attack, and that these scans can often cause ICS equipment to fail. These misconceptions are in fact, quite false. Digital Bond has provided some very good guidance on the "proper" use of the Nessus vulnerability scanner within ICS environment. As for the comment on vulnerabilities ... well this is just because those individuals do not realize the power and flexiblity of perform ICS scans and audits using the authenticated scan features of Nessus, coupled with the use of specialized Nessus audit files.



(the following was copied and edited from the Digital Bond blog post)
Digital Bond is releasing today (January 18, 2011) the Bandolier Baseline Security Audit Files for Windows 7 and Windows 2008R2 Member Server. Like other Bandolier Security Audit Files, these work with a compliance plugin in the Nessus Vulnerability Scanner to do a low impact audit of security configuration parameters.
The Bandolier Baselines Security Audit Files only cover the security settings in the operating system, and they are a starting point for the development of ICS vendor specific Bandolier Security Audit Files. The Bandolier Baselines were developed as follows:
  • Digital Bond took the Microsoft security guidance for Windows 7 and Windows 2008R2 Member Server as referenced in the NIST National Checklist Program Repository.
  • They then added their recommended settings where Microsoft provided no guidance.
  • And they also modified a very small number of settings where the Microsoft recommendation was not appropriate for control systems.
A spreadsheet with all the additions and modifications to the Microsoft recommendations will be available shortly (and will be posted on both my Blogger and Twitter posts when available). There are 187 security configuration settings audited in the Windows 7 Baseline and 202 security configuration settings audited in the Windows 2008R2 Member Server Baseline.
In addition to being useful as a starting point for vendor specific audit files, the Bandolier Baselines can be used to audit security settings on ICS that don’t yet have a Bandolier Security Audit File. Remember they are audits so they don’t change anything or try to exploit any sub-standard security settings.
The Bandolier Baselines for Windows 7 and Windows 2008R2 operating systems are the first developed by Digital Bond. In the past we used the Tenable Security developed OS audit files, with their very kind permission and support.
Based on the number of security checks in other audit files, we believe these Bandolier Baselines are by far the most comprehensive auditing of the Microsoft security recommendations for Windows 7 and 2008R2.

2 comments:

  1. I think the problem with running Nessus isn't Windows servers (like this focuses on) but rather legacy systems e.g. a PLC that don't have a very robust IP stack and crash when you have more than a few TCP sessions open at one time. Then again, most people who run Nessus don't have a clue and run it in a default mode not considering the targets. It isn't the greatest at fingerprinting OSes sometimes and runs tests against systems that don't make sense e.g. runs NetBIOS checks against a linux box running samba. Regargless, if a system crashes from a stupid port scan, that is a VERY valid result i.e it's very DoS friendly. No hacker is going to dance around a fragile system, so why should you as a security professional??

    ReplyDelete