SCADApedia
AAA  AAA 

Nessus WMI Compliance Checks

Tenable recently announced an additional feature for the Nessus compliance checks — support for WMI (Windows Management Instrumentation). I have used WMI for some scripting in the past and even played with WMIC. Still I wasn’t sure how or if this capability would help with Bandolier so I decided to use the WMI Object Browser to do some investigation.

The first thing that caught my eye was the Win32_UserAccount object group. Since most control system applications leave some default accounts behind, verifying that they have been removed is an important part of an audit. In *nix OSes, we’ve been able to do this very easily with the passwd file but it has been a challenge on Windows. Could WMI and Win32_UserAccount give us a reliable equivalent on the Windows side? I was disheartened by my first tests which looked like this:

<custom_item>
type: WMI_POLICY
description: “Check for default account (operator1)”
value_type: POLICY_TEXT
value_data: “operator1″
wmi_namespace: “root/CIMV2″
wmi_request: “SELECT Name FROM Win32_UserAccount”
wmi_attribute: “Name”
wmi_key: “Name”
wmi_option: WMI_ENUM
check_type: CHECK_NOT_EQUAL
</item>

The problem: the check always reported compliant, even when the account existed. Since there were other accounts that were not equal to operator1, it passed. The check type “CHECK_NOT_EQUAL” was functioning as designed, but not how I wanted. Thanks to some guidance from our friends at Tenable, I realized that what I need to do is combine CHECK_EQUAL_ANY with some condition checking like this:

<if>
<condition type: “or”>
<custom_item>
type: WMI_POLICY
description: “Check for default account (operator1)”
value_type: POLICY_TEXT
value_data: “operator1″
wmi_namespace: “root/CIMV2″
wmi_request: “SELECT Name FROM Win32_UserAccount”
wmi_attribute: “Name”
wmi_key: “Name”
wmi_option: WMI_ENUM
check_type: CHECK_EQUAL_ANY
</item>
</condition>

<then>
<report type:”FAILED”>
description: “A default account (operator1) exists”
</report>
</then>

<else>
<report type:”PASSED”>
description: “The default account (operator1) does not exist”
</report>
</else>
</if>

Success! This yielded the results we were after. We now have a more reliable way to test for default accounts on Windows servers and workstations.

I plan to spend some more time with WMI to determine what other information may be useful for Bandolier checks and will keep you updated.

Author: Jason Holcomb
Posted: August 8th, 2008 under Assessment Tools, Bandolier.
Comments: none

Write a comment