Sometimes security and functionality are a trade-off. But what about when different aspects of security are at odds? There’s one less of those cases to worry about thanks to a feature that Tenable added to Nessus recently.

The Windows Remote Registry service, as the name implies, allows remote calls to the registry. The service is required for tools like Nessus to read registry values — a key part of Bandolier and Nessus credentialed scanning in general. The problem is that most hardened configurations call for the service to be disabled. In fact, Remote Registry is disabled by default in Windows Vista. The ability to effectively audit seems to be at odds with a requirement for minimal services.

A new Nessus feature addresses this issue by providing an option to temporarily start and stop the service during a scan. I’ve been using it this week while testing the soon-to-be-released Bandolier audit files for AREVA e-terra. We’ve updated the step-by-step instructions in the release package readme and the SCADApedia, but here’s a quick visual that shows what you need to do.

First, add these plugins under the Settings category:

Then go to the Advanced tab and select this option:

Save the policy and that’s all there is to it. I’ve used it for dozens of credentialed scans now against machines with the Remote Registy service disabled and it works like a charm. (For the full Tenable write-up, check out this blog post.)