When we are performing Vulnerability Assessments for clients we are often asked for ways to obtain a ports and services list for CIP-007 R2. I decided to post a policy that we often use to obtain this list for Windows systems. It uses approximately 20 plug-ins, most of which are the Settings family. The Nessus policy requires the SMB account and password to be set. I included a couple plug-ins which may be unnecessary but are helpful, such as the ‘WMI Available’ plug-in, which is a good indicator that the scan was able to log into the system.
Nessus will log in and provide a list of all services, both active and inactive. The services will typically be listed under port 445, occasionally they are listed on one of the other Windows ports. All of the ports are discovered using netstat and the process attached to the port is discovered using a WMI plug-in. The policy should work for Nessus versions 4.2.0 and above, though it may work for some of the older ones as well.
Nessus 4.4.0 allows scans to be scheduled which means you can set it up to automatically check your CIP compliance as often as you desire. You can then use the ‘Compare’ feature in the ‘Reports’ section of Nessus to determine if anything has changed. Always test the policy in a lab environment before letting it run on your production network.
If you need help setting up Nessus or Windows for authenticated scans, refer to the Nessus documentation listed here.
I will post a couple more standard policies we use to obtain other CIP settings soon.