Compare scans
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Compare scans

  1. #1
    Junior Member
    Join Date
    Jan 2003
    Posts
    5

    Compare scans

    We are scanning desktops for vulnerabilities but are having trouble keeping track of the changes. For instance, if we scan one month, patch, then scan the next month we want to see what has changed since the previous month. However, IP address, Host names may have changed. MAC may be the same but maybe not.

    Just wondering what variable you track of for scans to determine which machine you're looking at to make sure the data is accurate as possible. Any advice?
    Thanks

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Well, are you talking about Windows systems, or *nix? Is this an Active Directory domain? Is this a commercial business network where you have control over the network, or an ISP?

    There is no single silver bullet answer to your question, but some of these things I've asked can be leveraged to help you achieve what you're asking about.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    1
    Um, unless you are changing hardware (specifically the NIC) between scans, shouldn't the MAC address be the same?

    What tool (or tools) are you using to do these scans? Nessus, Metasploit Framework, etc? Other than IP and/or hostname, what kind of additional identifying information about a host is captured?
    Nothing is foolproof for a talented fool.

  4. #4
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    These are windows machines. We use a variety of tools; languard, nessus mostly. Our users are admins on their machines so they make many unauthorized changes and sometimes take out our remote patching account (SMS). We're just trying to deal with our reality here so we end up scaning more than most probably would.

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    ouch, removing the SMS accounts...

    My current client uses a login script that looks for and recreates the domain admin account each time the system is booted/logged in to (one of those...being a 'login script' I'd assume the latter). However, if the user is savvy enough to disable the support account, this would probably not be much of an obstacle either.

    I'd look into something that can scan and track by SID, since it's all windows. That shouldn't change unless they rebuild the OS...and even then, it won't always, if they know how to recreate/copy the old SID into place...I've heard of that, not sure how easy/feasible it is to do.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Banned
    Join Date
    Dec 2004
    Posts
    53
    Why not add a bit to your security policy that dissallows users from disabling the SMS service?

  7. #7
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    We do have it in our policy but it still doesn't have the teeth it needs.

    Thanks for all the info everyone. We keep plodding along 'cause we love our job.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Since it clearly violates "best practice" why do you allow users to be admins of their own box?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Tell someone to not shoot at their feet is one thing.. it is better to NOT give them the gun in the first place..

    As TS said.. why give users the Admin gun.. they will not only shoot themselve in the foo but YOU run the risk of THEM Blowing your whole network..

    What is the possability one or more of them have set full sharing of the C: drive on their machine or have install a program that could invite any **** on the network..

    This is why Your the Bloody SYSTEM ADMIN..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    Junior Member
    Join Date
    Jan 2003
    Posts
    5
    why do you allow users to be admins of their own box?

    I have to work within the system here. If I was an executive, maybe I could pound my fist and demand it. I've told everyone within earshot and all I get is lip service. It's a cultural change and not a technolocy change; the hardest kind!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •