-
January 28th, 2005, 12:51 AM
#1
Junior Member
Compare scans
We are scanning desktops for vulnerabilities but are having trouble keeping track of the changes. For instance, if we scan one month, patch, then scan the next month we want to see what has changed since the previous month. However, IP address, Host names may have changed. MAC may be the same but maybe not.
Just wondering what variable you track of for scans to determine which machine you're looking at to make sure the data is accurate as possible. Any advice?
Thanks
-
January 28th, 2005, 05:05 AM
#2
Well, are you talking about Windows systems, or *nix? Is this an Active Directory domain? Is this a commercial business network where you have control over the network, or an ISP?
There is no single silver bullet answer to your question, but some of these things I've asked can be leveraged to help you achieve what you're asking about.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 28th, 2005, 09:41 AM
#3
Junior Member
Um, unless you are changing hardware (specifically the NIC) between scans, shouldn't the MAC address be the same?
What tool (or tools) are you using to do these scans? Nessus, Metasploit Framework, etc? Other than IP and/or hostname, what kind of additional identifying information about a host is captured?
Nothing is foolproof for a talented fool.
-
January 28th, 2005, 05:16 PM
#4
Junior Member
These are windows machines. We use a variety of tools; languard, nessus mostly. Our users are admins on their machines so they make many unauthorized changes and sometimes take out our remote patching account (SMS). We're just trying to deal with our reality here so we end up scaning more than most probably would.
-
January 28th, 2005, 09:11 PM
#5
ouch, removing the SMS accounts...
My current client uses a login script that looks for and recreates the domain admin account each time the system is booted/logged in to (one of those...being a 'login script' I'd assume the latter). However, if the user is savvy enough to disable the support account, this would probably not be much of an obstacle either.
I'd look into something that can scan and track by SID, since it's all windows. That shouldn't change unless they rebuild the OS...and even then, it won't always, if they know how to recreate/copy the old SID into place...I've heard of that, not sure how easy/feasible it is to do.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
January 28th, 2005, 10:49 PM
#6
Why not add a bit to your security policy that dissallows users from disabling the SMS service?
-
January 29th, 2005, 12:16 AM
#7
Junior Member
We do have it in our policy but it still doesn't have the teeth it needs.
Thanks for all the info everyone. We keep plodding along 'cause we love our job.
-
January 29th, 2005, 10:35 PM
#8
Since it clearly violates "best practice" why do you allow users to be admins of their own box?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 30th, 2005, 01:11 AM
#9
Tell someone to not shoot at their feet is one thing.. it is better to NOT give them the gun in the first place..
As TS said.. why give users the Admin gun.. they will not only shoot themselve in the foo but YOU run the risk of THEM Blowing your whole network..
What is the possability one or more of them have set full sharing of the C: drive on their machine or have install a program that could invite any **** on the network..
This is why Your the Bloody SYSTEM ADMIN..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
January 31st, 2005, 05:02 PM
#10
Junior Member
why do you allow users to be admins of their own box?
I have to work within the system here. If I was an executive, maybe I could pound my fist and demand it. I've told everyone within earshot and all I get is lip service. It's a cultural change and not a technolocy change; the hardest kind!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|