pdavis at tenablesecurity
Nov 7, 2008, 8:44 AM
Post #4 of 7
Re: Credentialed scans against Windows 2008
[In reply to]
What steps other than disabling the firewall and enabling remote desktop were taken on this system? There's a blog entry for scanning Windows
Vista systems for FDCC Compliance which details steps to enable policy compliance scanning on systems with Security Center such as Vista (or 2008).
I am currently successfully scanning a Windows 2008 system for audit compliance, and IIRC, I configured it using the steps in this blog entry:
Ray Van Dolson wrote:
> On Fri, Nov 07, 2008 at 06:29:45AM -0800, Paul Davis wrote:
>> How is the following configuration set on your Windows 2008 system:
>> Control Panel (Classic View) => System => Remote settings (upper left
>> hand corner). It should be set to: "Allow connections from computers
>> running any version of Remote Desktop".
>> Let me know if this helps.
> Thanks Paul. This is how it was already set. I have no problems
> connecting via Remote Desktop as the 'nessus' user account that was set
> up in this case either.
> It seems the SMB connection is what isn't working.
> Also have opened a support request with you guys.
> Thanks for the response!
>> Ray Van Dolson wrote:
>>> Hi all, I'm trying to run a credentialed scan against a Windows Server
>>> 2008 machine from a box running Nessus 3.2.1. I initially was doing
>>> this from NessusClient, but am testing with nasl as follows:
>>> ./nasl -T /tmp/hi.log -X -t 10.49.102.75 \
>>> Then providing a valid SMB account as prompted.
>>> The problem is that none of the credentialed checks appear to be
>>> succeeding. I have verified that the account supplied is in the local
>>> Administrators group, and I can remote desktop into the machine as that
>>> user just fine.
>>> Output from the nasl command is as follows:
>>> There was an error during compliance check initialization. Nessus returned
>>> the following error message :
>>> Some errors occurred when attempting to perform the compliance checks :
>>> can't initialize the audit engine: AUDIT_ERROR_NO_SOCKET: an error happened while opening a socket
>>> I did a tcpdump while running the above command and noticed that
>>> Windows responds with a 'reset' packet in response to Nessus' initial
>>> packet to port 445 -- almost like a firewall. However, the firewall is
>>> disabled on this machine.
>>> Also, I am unable to connect to the default shares on the machine using
>>> smbclient (C$, ADMIN$). I get the following error there:
>>> $ smbclient //STDBSTG/C$ -I 10.49.102.175 -U nessus
>>> Domain=[STDBSTG] OS=[Windows Server (R) 2008 Enterprise 6001 Service Pack 1] Server=[Windows Server (R) 2008 Enterprise 6.0]
>>> tree connect failed: NT_STATUS_ACCESS_DENIED
>>> Perhaps this is related.
>>> Anyone have any suggestions? I figure this must be some security
>>> setting in 2008...
Tenable Network Security Inc
Phone: 410.872.0555 x245
Is your network TENABLE?
Nessus mailing list
Nessus [at] list