Desktop vulnerability scanning

[wtburnette]

So, the company I work for has decided to scan for vulnerabilities at the desktop level. We want to create our own program, or system, for this. Not sure whether that means it will be a procedure of what already developed products will be used in what order to determine risks and then create an action list from the results, or what exactly it means at this point. I know there are a lot of experienced people in this forum and I wanted to see if anyone had experience with vulnerability scanning on the desktop level and what all is involved. Thanks in advance!

 

[Madnes5]

Well, I have to say, I can't understand the logic of creating your own program unless you have some security guy who wanted to write a vuln scanner and convinced management to fund his hobby.

I think the most important thing you need is clarification from management on exactly why they want this. There are a lot of reasons for doing this. But until you understand why management is deciding to pursue this path, it's tough to figure out how to build your program.

I'm making an assumption that your desktops are Windows and you're on a domain.

Typically enterprises use a known vulnerability scanning tool such as Nessus/Tenable, Rapid7, Saint, Foundstone VulnScanner, etc. For scanning desktops, these tools are provided with a Domain Admin level service account and they perform "credentialed scans". Essentially, they log on to each machine and run through their exhaustive list of vulnerability checks and report back on what is found. Each of those vendors has at least one, frequently more full time employees working just to update their tools with new vulnerabilities. Thats why it's very difficult for someone to roll their own scanner.

One of the most important steps is to make sure your base image is configured correctly. Also make sure that your post-installation procedures are finalizing any security settings/configurations. You need to make sure that when a new systems comes on the network that it is reasonably up to date and secure.

By far the largest portion of vulnerabilities you are going to find is related to patches. If your base image is decent and your group policy settings aren't wide open, roughly 90% of your vulns are going to come from missing software patches. Microsoft patches can be checked and applied throughout the enterprise fairly easy with Microsoft's own tools such as MBSA and WSUS. Or by writing up some powershell scripts that will query for current patches and then parsing the info out on the back end. 3rd party patches for common software such as Adobe, Java, and browsers is a bit more problematic. You _could_ write your own scripts to check for known vulnerable versions. But, you'd be spending a lot of time just writing the scripts and a lot less time fixing the actual problem.

Misconfigured security settings will also crop up in a lot of vulnerability reports. Usually these are an easy fix because most settings should be applied through group policy. MBSA will check some common settings and you can also use powershell to write your own scripts to check for specific settings you're interested in. But usually, any issues found here should be fixed in your base image and in your group policy settings.

Malware frequently gets found as well. Usually you're AV should be catching this too though.

Lastly, you're going to be finding the remaining "stuff" which is typically unapproved third party software that someone installed. Usually you're find older versions that have some known vulnerability that needs to be remediated. These are the harder issues to fix because you usually need to work with individuals to fix or upgrade a single software package. Again, it would be very hard to write your own tools to scan for vulnerabilities in ALL the possible software out there. If you're determined to do this yourself, I think your best off writing some powershell scripts that enumerate installed software, parse that out into a spreadsheet or database and then monitor the the vulnerability mailing lists for vulns in these packages. Or better yet, just have the user uninstall the software.

Vulnerability scanning definitely has it's use. But also remember that you could be spending your time detecting vulnerabilities actually fixing them. If you've got a great system deployment process, a good patch management program, and effective group policies then scanning for vulnerabilities will give you good insight into what other areas to focus on. But if not, you could be refining those processes and actually reducing your exposure instead of just proving how bad things are.

Lastly, make sure you're aware of Pass the Hash attacks. Connecting to all of your desktops with Domain Admin credentials can cause it's own problems.

 

[wtburnette]

Thank you for this wealth of information. I guess I should clarify that we're not coding a program to do these scans, we're coming up with a system for doing this. We have a scanning program, but want to design a system or procedure around the scanning to verify it's finding everything we need to worry about and if not to develop a full process for including the use of other tools as needed.