Compare scans

**securlynn** · January 28th, 2005, 12:51 AM

We are scanning desktops for vulnerabilities but are having trouble keeping track of the changes. For instance, if we scan one month, patch, then scan the next month we want to see what has changed since the previous month. However, IP address, Host names may have changed. MAC may be the same but maybe not.

Just wondering what variable you track of for scans to determine which machine you're looking at to make sure the data is accurate as possible. Any advice?
Thanks

***zencoder*** · January 28th, 2005, 05:05 AM

Well, are you talking about Windows systems, or *nix? Is this an Active Directory domain? Is this a commercial business network where you have control over the network, or an ISP?

There is no single silver bullet answer to your question, but some of these things I've asked can be leveraged to help you achieve what you're asking about.

**JohnnyM** · January 28th, 2005, 09:41 AM

Um, unless you are changing hardware (specifically the NIC) between scans, shouldn't the MAC address be the same?

What tool (or tools) are you using to do these scans? Nessus, Metasploit Framework, etc? Other than IP and/or hostname, what kind of additional identifying information about a host is captured?

**securlynn** · January 28th, 2005, 05:16 PM

These are windows machines. We use a variety of tools; languard, nessus mostly. Our users are admins on their machines so they make many unauthorized changes and sometimes take out our remote patching account (SMS). We're just trying to deal with our reality here so we end up scaning more than most probably would.

***zencoder*** · January 28th, 2005, 09:11 PM

ouch, removing the SMS accounts...

My current client uses a login script that looks for and recreates the domain admin account each time the system is booted/logged in to (one of those...being a 'login script' I'd assume the latter). However, if the user is savvy enough to disable the support account, this would probably not be much of an obstacle either.

I'd look into something that can scan and track by SID, since it's all windows. That shouldn't change unless they rebuild the OS...and even then, it won't always, if they know how to recreate/copy the old SID into place...I've heard of that, not sure how easy/feasible it is to do.

**a morning chill** · January 28th, 2005, 10:49 PM

Why not add a bit to your security policy that dissallows users from disabling the SMS service?

**securlynn** · January 29th, 2005, 12:16 AM

We do have it in our policy but it still doesn't have the teeth it needs.

Thanks for all the info everyone. We keep plodding along 'cause we love our job.

***Tiger Shark*** · January 29th, 2005, 10:35 PM

Since it clearly violates "best practice" why do you allow users to be admins of their own box?

***Und3ertak3r*** · January 30th, 2005, 01:11 AM

Tell someone to not shoot at their feet is one thing.. it is better to NOT give them the gun in the first place..

As TS said.. why give users the Admin gun.. they will not only shoot themselve in the foo but YOU run the risk of THEM Blowing your whole network..

What is the possability one or more of them have set full sharing of the C: drive on their machine or have install a program that could invite any **** on the network..

This is why Your the Bloody SYSTEM ADMIN..

**securlynn** · January 31st, 2005, 05:02 PM

why do you allow users to be admins of their own box?

I have to work within the system here. If I was an executive, maybe I could pound my fist and demand it. I've told everyone within earshot and all I get is lip service. It's a cultural change and not a technolocy change; the hardest kind!

Thread: Compare scans

Thread Tools

Display

Compare scans

Posting Permissions