Jason Haar wrote: > Nicolas Pouvesle wrote: > >> You need to provide administrator rights. >> >> On your windows machine, Remote Registry Service must be started. >> If your system is a Worgroup you must do that to : >> >> run gpedit.msc >> >> go to Computer configuration -> Windows settings -> Security settings >> -> Local Policies -> Security Options >> >> And switch value of "Network access: Sharing and security model for >> local accounts" to Classic - local users authenticate as themselves. >> >> If you don't do that you will try to connect as guest and you won't be >> able to look into the registry. > > > This is a very interesting statement - does this affect other Windows > checks too? > All windows checks which need to read keys in registry are affected. > I am currently experiencing the problem with Nessus that our IS managers > aren't willing to let me run Nessus with a Domain Amin account [in order > to have Local Admin level access]. I don't blame them - in fact I said > it wasn't a good idea :-) - I don't want admin passwords lying around on > our 16 Nessus servers! So instead it runs with a domain "test account" > specifically set up for the purpose. However, it ain't a local admin - > so can't do most of the Windows tests. Does anyone know a "magic" way of > pushing out some form of "add domain account XXX to local admin group" > via Active Directory policies or even regedit? I for one would LOVE to > know. > > In fact, this really deserves a HOWTO. Most sites must be wanting to run > Nessus against Windows boxes, and how safely and securely set up test > accounts/etc are central to how well this would work. > > I could even volunteer! ;-) > You can find docs on nessus website like : http://www.nessus.org/documentation/nessus_windows_scanning.pdf However it does not explain how to deploy it with Active Directory. So I will give you some tips. Your account does not need to be in the domain admin group (maybe it is needed for some plugins under special conditions but it will work perfect in most cases). You will need to let this user (take a look at the pdf) remotely access the registry. So with the GPO you must add a new acl on HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg to allow this domain user to read this group of keys. If you modify Active Directory GPO under windows XP (maybe it has been changed in SP2) and your AD runs under windows2003 it will add flag that windows2000 does not know. So in this case your domain user won't be able to access registry on windows2000 systems. To solve that you must edit GPO on your AD2003 server or install a patch (look on microsoft site). I hope it will help. Regards, Nicolas _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Thu Jan 06 2005 - 06:26:37 PST