Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: users

minimum set of permissions

 

 

Nessus users RSS feed   Index | Next | Previous | View Threaded


raleel at gmail

Feb 11, 2009, 8:24 AM

Post #1 of 3 (5231 views)
Permalink
minimum set of permissions

does anyone have the minimum set of permissions needed to run an
authenticated scan with safe checks enabled on windows machines? I know
there is a lot of registry reading, but I'm guessing not writing. My desire
is is to make a user that can complete a scan, but will pose minimal other
risks.

on unix, it doesn't appear possible to limit the command set much, as most
of it appears to be running through /bin/sh (run a sudo scan and check your
logs)

--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs


rgula at tenablesecurity

Feb 11, 2009, 10:09 AM

Post #2 of 3 (4822 views)
Permalink
Re: minimum set of permissions [In reply to]

Doug Nordwall wrote:
> does anyone have the minimum set of permissions needed to run an
> authenticated scan with safe checks enabled on windows machines? I know
> there is a lot of registry reading, but I'm guessing not writing. My desire
> is is to make a user that can complete a scan, but will pose minimal other
> risks.
>
> on unix, it doesn't appear possible to limit the command set much, as most
> of it appears to be running through /bin/sh (run a sudo scan and check your
> logs)
>

This would be a great discussion on the new Discussion forum ...

You really need registry read and file read.

With Windows audits, if you limit the checks to just reading registry
settings, you'll prevent many credentialed checks from working which
require file read access. This includes all of the patch audits, most
of the 3rd party vulns (java, itunes, mozilla, .etc) and the audits
which test anti-virus installations.

If you get into the WMI set of checks (you do want Nessus to list
the installed software, disk info, cpu info, .etc) you need to ensure
that access as well.

Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


Stewart.James at vu

Feb 11, 2009, 1:57 PM

Post #3 of 3 (4810 views)
Permalink
RE: minimum set of permissions [In reply to]

http://www.nessus.org/documentation/nessus_domain_whitepaper.pdf is
probably a good starting point.



S. J



From: nessus-bounces [at] list
[mailto:nessus-bounces [at] list] On Behalf Of Doug Nordwall
Sent: Thursday, 12 February 2009 3:25 AM
To: Nessus nessus
Subject: minimum set of permissions



does anyone have the minimum set of permissions needed to run an
authenticated scan with safe checks enabled on windows machines? I know
there is a lot of registry reading, but I'm guessing not writing. My
desire is is to make a user that can complete a scan, but will pose
minimal other risks.

on unix, it doesn't appear possible to limit the command set much, as
most of it appears to be running through /bin/sh (run a sudo scan and
check your logs)

--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott
Stone, on MMORPGs

Nessus users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.