I am going to assume this is in a professional testing environment (audit, assessment, etc...). H Carvey raises a very valid point, if a tool finds a problem, is it *really* a problem? According to who? Microsoft may claim it's a 'feature', and the tool vendor may demonstrate how it compromises security. The answer lies in the auditor or pen-tester. Your duty is to assess, manage risk, and mitigate those risks. You always have to keep the client's best interests in mind. If ISS or Retina are pumping out vulnerability reports, it's not enough to read these and present them as a report. Verification, (in this case can be done by attempting to read or write information to the remote registry) is required. If there is a vulnerability, it must be measured in terms of risk (but this is a whole other domain). In some instances, i.e.: if its going to cost a lot of money to protect a network from a certain attack (DDOS) then a verification that this can actually be done is often requested. Steve -----Original Message----- From: H Carvey [mailto:keydet89at_private] Sent: Friday, May 18, 2001 9:39 AM To: pen-testat_private Subject: Re: Access a remote registry > I'm checking the security of a Windows NT server. I have first used Retina > to get a general overview of the server, and it has discovered that the > Guest user has access to the registry. This post brings up another issue...validation. Retina reports that the Guest account is allowed access to the Registry remotely...but how is this validated. ISS's Internet Scanner used (v5.8,v6.0) used to report that the AutoAdminLogon functionality existed if the value was set to '0', which according to Microsoft is incorrect. Rebooting the system proved this. The point is...if a commercial tool reports a vulnerability, and it's not able to be replicated, then whom do you believe?
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 10:42:46 PDT