September 8th, 2005, 11:05 AM
Nessus on Workstations
Hi, we run Nessus scans regularly on our servers as part of normal operations.
I am thinking of expanding this to the desktops. Anyone else doing this? Is there a point? Our desktops are managed, secured and firewalled.
September 8th, 2005, 11:11 AM
We're going to be using Retina to scan servers but I don't think we have plans to bother with workstations. Too many of them and the loss of a workstation isn't a major issue if the servers are safe.
On the desktop side we're more concerned with spyware/adware apps that staff can download/bring in. Thats probably our major desktop issue.
September 8th, 2005, 01:48 PM
A compromised desktop can be used as a launch platform for other activity that could have an impact on the organisation and the servers.
Do I scan the workstations at work? No I haven't got the resource to do so.
I rely on managing the desktops and education the users.
The costs for mitigating the risk outwegh the perceived benefits.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
September 8th, 2005, 02:45 PM
If you can enforce centrally managed and standardized desktop/workstations, then spyware, viri e.t.c.. should be a non-issue.
But if you work in a place where you have no clout (like me!), where the managers don't side with the I.T. dept. (like my management!), where the managers force you to make an exception for anyone who bitches and complains (like mine do!) -- then you are S.O.O.L.
It can be very frusterating but you got to keep reminding yourself why you do what you do - for the love and for the nookie!
But to add, and this is the reason for OP and thread. No all my stations and managed. It's also getting pretty bad with mobile/laptop users. Almost getting to the point where every Tom, Dick and Harry who knows who to set manual IP's is connecting to the network with machines I have never seen.
September 8th, 2005, 04:27 PM
While I have no direct control over it, I can tell you that organizations that I have worked with don't scan the desktops, however several of them have used Thin Clients... which to me makes life a hell of alot easier in the first place.... It always kills me to see someone who sits and modifies Excel sheets all day, but still has a full desktop with their own OS.... give them a thin client... Then the resources to scan every machine would be more easily available.
The big thing with desktops (workstations) is to ensure that they are patched and updated... That's what's most important, perhaps instead of running nessus scans, it might be more appropriate to scan them with the Microsoft Baseline Security Analyzer... it'll let you know about missing patches for both the OS and Office as well as other parts of Windows. You can set it up to scan your subnet and walk away, coming back to a very nice report when it's done.... Might be more practical if you have Windows Workstations.
As far as your users connecting their laptops and setting an IP Address.... have you considered 802.1x on your switches? Or perhaps limiting each port to a specific MAC Address?
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".