Security Assessment with Nessus

As an IT Professional, one of your most important responsibilities is to ensure that your environment is a secure one in terms of protection from known vulnerabilities. To many Sys Admins, this often means just making sure patches are applied. That is necessary, but patching alone isn’t the complete answer, many problems are not resolved by patching. Critical security issues can be the result of accidental or negligent misconfigurations of some system component, poorly coded applications (especially web apps), the result of some past malicious activity, or any number of other factors.

There are a large number of security assessment tools available, ranging widely in capabilities and price. The Microsoft Baseline Security Analyzer (MBSA) tool is one familiar to many, but that only shows a small subset of potential problems on Windows based machines. An MBSA scan result of Pass can lure one into a false sense of security. One of the best, if not the best, security assessment tools is Nessus, a cross platform scanner from the Tenable Network Security group. Nessus has consistently been voted #1 security tool in Top 100 survey. The Nessus scanner can identify problems on Windows and *nix based hosts, as well as other networked systems such as routers and NAS devices. The Nessus scanner will use various methods to attempt OS fingerprinting and service detection, then utilizing a system of “plugins”, Nessus identifies system misconfigurations, known vulnerabilities, or systems otherwise not complying with a local security policy. Having this information allows you to resolve problems that could lead to privilege escalations, denial of service (DoS) attacks, data theft, etc. It can be quite eye opening to see how many potential problems exist on your network.

Here are some problems of various severity levels identified by a recent Nessus scan on my network:

  • IIS Web server: found cross site scripting vulnerabilities because of unnecessarily enabled debugging functions; various misconfigurations allowing path enumeration & site maps, plain text authentication forms, and some minor CGI issues
  • Apache Web server: identified old version allowing cross site scripting vulnerabilities in several in-use modules; potential DoS issue
  • Domain Controllers: allow certain anonymous LDAP enumeration queries (actually the default in Server 2003)
  • Discovered several systems with “Etherleak” vulnerabilities in NIC drivers, including a router – where contents from memory or previous packets are leaked in response to malformed packets.
  • Found vulnerability in McAfee ePO agent allowing remote code execution.
  • Found old version of print daemon on a Linux print server allowing remote command execution
  • NAS Device: Found Samba buffer overflow vulnerability allowing remote code execution; identified enabled guest account allowing NULL session share & file enumeration.
  • Identified a few MS Terminal Servers vulnerable to MITM attacks
  • Database Servers: found a brute force and several buffer overflow vulnerabilities on 2 different platforms

As you can see, Nessus is great for giving you an idea of where your environment stands from a security & vulnerability perspective. Obviously it’s also a must for anyone with an interest in penetration testing. Nessus binaries are available for Windows, Linux, Mac, & Unix. The Windows version uses an agentless client-server model (both can be on the same machine), is easily configured, and simple to install. Scan results can be exported into various formats. There is also a “Safe Checks” option that, when disabled, will actually attempt to exploit some vulnerabilities or crash certain services or OS’s (obviously not recommended in production). Nessus is free to download and use for personal use, with licensing options available for support and advanced enterprise usage.

A successful security policy design often uses a layered approach. Many problems identified by a security assessment can be mitigated by other best practices such as patching, proper segmentation, firewall design, least user privilege, and secure coding. Nessus is one of several tools available to IT personnel to ensure their infrastructure is secure as possible at all layers.

Nessus Vulnerability Scanner


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: