OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: H C (keydet89yahoo.com)
Date: Fri May 18 2001 - 17:08:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > I am going to assume this is in a professional
    > testing environment
    > (audit, assessment, etc...). H Carvey raises a very
    > valid point, if a tool
    > finds a problem, is it *really* a problem? According
    > to who? Microsoft may
    > claim it's a 'feature', and the tool vendor may
    > demonstrate how it
    > compromises security.

    Reading the responses on this thread, I am seeing two
    parallel areas...

    1. Is the vulnerability discovered by a commercial
    tool _really_ a vulnerability? Yes, the commercial
    product may correctly identify the condition, however,
    in the overall view, is it really an issue. Or,
    perhaps more appropriately, is the severity of the
    vulnerability appropriate, given the infrastructure?

    2. Was the condition correctly tested? Was the test
    conducted, and the result correctly interpreted? For
    example, let's look at the issue of the AutoAdminLogon
    Registry value. Microsoft says that if this value is
    set to 1 (on NT 4.0), then whichever password appears
    (in plain text) in the DefaultPassword value is used
    to automatically log that username in when the system
    starts. If the value is 0, the system will not
    automatically login any account via this
    functionality. However, ISS 5.8 and 6.0 would report
    a serious vulnerability if the presence of the value
    was detected, regardless of the data (1 or 0).
    Without verification via some other means, this could
    lead to a potentially embarassing situation for the
    consultant.

    With commercial tools, the issue seems to be which one
    detects more vulnerabilities. Of course, the
    discussion then digresses to what defines a
    'vulnerability'.

    Rather than taking a step forward, I would suggest
    taking a step back. Using automated tools to collect
    configuration information, which is then interpreted
    by a knowledgeable security professional or sysadmin
    is really the only way to conduct a thorough
    vulnerability assessment. Particularly on NT/2K, this
    requires that admins 'get under the hood' a little
    bit...but then, it becomes an issue of 'cost'. Do you
    want to pay the 'cost' of thousands of dollars for
    tools and consultants, or do you want to pay the
    'cost' of picking up some books, getting some
    information, and learning something new?

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Auctions - buy the things you want at great prices
    http://auctions.yahoo.com/