Just wondered if anyone had answers or insight to these two questions (We are on Foundstone 6.7):
1. What kind of permissions, in both UNIX and on Windows 2003, are required for the credential scan to be effective. There is a KB article that states you have to have local admin rights to scan WIN 2008 servers but nothing really on Windows 2003. What has been your experience with credential scans and are they worth it.
2. Your Score - We have a large number of UNIX systems, some with Oracle and we have a large number of false positives. We have implemented the ticketing system and acknowledged these alerts as such but this does not change your score. Any thoughts or experience with this?
Windows Credential Requirements:
A combination of registry and file system access is required and is best accomplished with a local administrative account.. The reason is that once the scan engine has authenticated to a target two different connection are attempted to determine the level of access.
- The Scan engine attempts to access the targets registry via the Remote Registry Service.
- File system access is attempted by connecting to both C$ and Admin$.
Shell Credential Requirements:
Please read KB54752
This is a common question that takes a little digging into to understand. Most the time it comes down to that it only takes a few vulnerabilities to adversely affect your Foundscore. Once you drop down below a certain point it takes fixing quite a few vulnerabilities before you will see the Foundscore move. I've attached the 6.7 Enterprise Manager Admin Guide to this post. Please go to page 30 and read through the documentation and let me know if you have any questions and I'll try and help you out.
Jeff HaynesMessage was edited by: Jeffrey Haynes on 6/16/10 1:38:35 PM CDT
Thank you for the answers. Maybe hard to answer but will setting vulnerabilities to ignore or false-positive and then acknowledging them have any effect on the foundstone score?
On Page 25 of the 6.7 Enterprise Manager Guide it says this.
Note: Tickets marked as Ignore will affect future scan reports. Future scans
that find this vulnerability on this machine will not record this vulnerability for
this machine on future scan reports.
What that means that we will not change the existing Foundscore but since the vulnerability will be considered a false positive or ignored on the next scan the Foundscore will automatically correct itself.