With the Nessus policy compliance plugins you can check settings for password policy, auditing, logging, file permissions, services, and a host of other items through configuration files and registry keys. This type of authenticated scanning is the the technology that makes Bandolier possible.

A key part of configuration auditing and host hardening is verifying that a minimal set of services is running. The compliance plugins allow you to check the service startup policy — Automatic, Manual, or Disabled. Still, there has always been an aspect of this that bothered me: I could only write checks for all the services I knew about. What if a new service was installed? The audit file would not flag that case. What I really needed was a way to define a list of services and then have Nessus report back if there was any service running outside the list. (Incidentally, something that would generate a nice report for NERC CIP-007 R2.)

Digital Bond colleague, Marco Cajina, inspired me to have a second look at WMI as an option for solving this problem for Windows servers and workstations. After playing with a number of WQL queries, I landed on the right combination that makes this possible.

Here’s what the actual check looks like:

type: WMI_POLICY
description: “Verify that only the required services are running”
value_type: POLICY_TEXT
value_data: “Stopped”
wmi_namespace: “root/CIMV2″

wmi_request: “SELECT DisplayName, State FROM Win32_Service
WHERE NOT (DisplayName=’Automatic Updates’
OR DisplayName=’COM+ Event System’
OR DisplayName=’Computer Browser’
OR DisplayName=’Cryptographic Services’
OR DisplayName=’DCOM Server Process Launcher’
OR DisplayName=’DHCP Client’
OR DisplayName=’Distributed Link Tracking Client’
OR DisplayName=’DNS Client’
OR DisplayName=’Error Reporting Service’
OR DisplayName=’Event Log’
OR DisplayName=’Help and Support’
OR DisplayName=’IPSEC Services’
OR DisplayName=’Logical Disk Manager’
OR DisplayName=’McAfee Framework Service’
OR DisplayName=’McAfee McShield’
OR DisplayName=’McAfee Task Manager’
OR DisplayName=’Net Logon’
OR DisplayName=’Network Connections’
OR DisplayName=’Network Location Awareness (NLA)’
OR DisplayName=’Plug and Play’
OR DisplayName=’Print Spooler’
OR DisplayName=’Protected Storage’
OR DisplayName=’Remote Access Connection Manager’
OR DisplayName=’Remote Procedure Call (RPC)’
OR DisplayName=’Remote Registry’
OR DisplayName=’Secondary Logon’
OR DisplayName=’Security Accounts Manager’
OR DisplayName=’Server’
OR DisplayName=’Shell Hardware Detection’
OR DisplayName=’System Event Notification’
OR DisplayName=’System Restore Service’
OR DisplayName=’Task Scheduler’
OR DisplayName=’TCP/IP NetBIOS Helper’
OR DisplayName=’Terminal Services’
OR DisplayName=’Windows Audio’
OR DisplayName=’Windows Firewall/Internet Connection Sharing (ICS)’
OR DisplayName=’Windows Image Acquisition (WIA)’
OR DisplayName=’Windows Management Instrumentation’
OR DisplayName=’Windows Time’
OR DisplayName=’Workstation’)”

wmi_attribute: “State”
wmi_key: “DisplayName”

Here’s what the report looked like when I ran against a machine with Apache (an unapproved service) installed:

And finally, here’s how the logic works:

1.) Predefine the list of approved services we want to run in the WQL query
2.) Use WQL to select all the services (DisplayName, and State) that do not match the approved list
3.) Use the compliance check to verify that the state of any non-approved service is stopped
4.) Any services that is running and not in the approved list will be flagged in the report

Mission accomplished!

I think this is a big win for Windows configuration auditing and can’t wait to get it integrated into future Bandolier releases. Stay tuned for some other creative uses of WMI for configuration auditing.