rgula at tenablesecurity
Feb 11, 2009, 10:09 AM
Post #2 of 3
Doug Nordwall wrote:
> does anyone have the minimum set of permissions needed to run an
> authenticated scan with safe checks enabled on windows machines? I know
> there is a lot of registry reading, but I'm guessing not writing. My desire
> is is to make a user that can complete a scan, but will pose minimal other
> on unix, it doesn't appear possible to limit the command set much, as most
> of it appears to be running through /bin/sh (run a sudo scan and check your
This would be a great discussion on the new Discussion forum ...
You really need registry read and file read.
With Windows audits, if you limit the checks to just reading registry
settings, you'll prevent many credentialed checks from working which
require file read access. This includes all of the patch audits, most
of the 3rd party vulns (java, itunes, mozilla, .etc) and the audits
which test anti-virus installations.
If you get into the WMI set of checks (you do want Nessus to list
the installed software, disk info, cpu info, .etc) you need to ensure
that access as well.
Tenable Network Security
Nessus mailing list
Nessus [at] list