Rapid7 Nexpose 5.1 SCAP Implementation Statement

Revision History

Date

Revision

Description

Author

18-Jan-12

1.0

 

Ryan Poppa

 

 

 

 

 

 

 

 

 

 

 

 

 

SCAP Implementation Statement for Rapid7 Nexpose 5.1)

FDCC Scanner

USGCB Scanner

Unauthenticated Vulnerability Scanner

Authenticated Configuration Scanner

 

Statement of FDCC/USGCB Implementation

You can open firewalls on Windows assets to make it possible for Nexpose to perform deep scans on these targets within your network.

By default, Microsoft Windows XP SP2, Windows 7, Vista, Server 2003, and Server 2008 enable firewalls to block incoming TCP/IP packets. Maintaining this setting is generally a smart security practice. However, an enabled firewall restricts Nexpose to do nothing more than discover network assets during a scan.

Opening a firewall gives Nexpose access to critical, security-related data, such as what you would require for patch or compliance checks. Read the following procedure to learn how to open the firewall for Nexpose scans, without disabling it completely. Typically, a domain administrator would perform these steps.

The procedure refers to Windows XP, Windows 7, and Vista assets for illustration purposes. Steps vary for other Windows operating systems.

 

Opening the firewall in a domain-joined environment

The steps in this section are for an Active Directory environment, in which Windows target assets are members of a domain. During a network logon, a workstation obtains policy settings that create firewall exceptions from the domain controller.

Two settings must be enabled in the group policy settings for the domain in question:

Windows Firewall: Allow remote administration exception

and

Windows Firewall: Allow file and print sharing exception 

1.     In Windows, click the Start button and select Administrative Tools | Active Directory Users and Computers.

2.     In the Active Directory Users and Computers window, right-click the name of the domain in which you wish to open the firewall. From the pop-menu select Properties.

3.     In the Properties window for the selected domain, click the domain policy that you wish to edit, and click Edit.

4.     In the left navigation pane of the Group Policy Settings window, click the Domain Profile folder, which is located in the directory path Computer Configuration | Administrative Templates | Network | Network Connections  | Windows Firewall

5.     After you open the Domain Profile folder, find Windows Firewall: Allow file and printer sharing exception in the right pane, and double-click it to open the setting dialogue box.

6.     In the Setting tab of the dialogue box, click the Enabled radio button, and then click OK.

7.     In the right pane of the group policy window, find Windows Firewall: Allow remote administration exception. Double-click it to open the setting dialogue box.

8.     In the Setting tab of the dialogue box, click the Enabled radio button.

9.     In the text field labeled Allow unsolicited incoming messages from:, type the IP address of the Nexpose Scan Engine or network from which scans will originate. Click OK.

 

Opening the firewall in a stand-alone environment

The steps in this section are for a stand-alone configuration of Windows 7, Vista, or Windows XP, in which the target asset is not a member of a domain and is not controlled by policy settings.

 

Enabling settings in the Standard Profile of Windows Policy Editor

1.     Click Start, open the Run dialog box, and type gpedit.msc to start Windows Group Policy Editor.

        In Vista, you can alternatively start Windows Group Policy Editor by typing the command from the Start Search box. This displays an icon that you can click to start the editor.

2.     In the left pane of Group Policy Editor, go to Local Computer Policy | Administrative Templates | Network | Network Connections  | Windows Firewall.

        Two settings in Standard Profile must have an "Enabled" state for Nexpose to communicate with the firewall:

        Allow inbound file and printer sharing exception

        and

        Allow inbound remote administration exception

3.     Double-click the Allow inbound file and printer sharing exception in Standard Profile.

4.     In the dialog box for that setting, click the Enabled option button.

5.     In the box labeled Allow unsolicited incoming messages from these IP addresses:, type either an asterisk (*) or the IP address of the host where the scan engine is located.

6.     Click OK.

7.     Double-click the Allow inbound remote administration exception in Standard Profile.

8.     In the dialog box for that setting, click the Enabled option button.

9.     In the box labeled Allow unsolicited incoming messages from these IP addresses:, type either an asterisk (*) or the IP address of the host where the scan engine is located.

10.   Click OK.

        All other settings in Domain Profile and Standard Profile must have a "Not Configured" state.

 

Starting Remote Registry

Starting Remote Registry makes it possible for Nexpose to fingerprint remote scan targets accurately.

1.     Click Start, open the Run dialog box, and type services.msc to start the Services manager.

        In Windows 7 and Vista, you can alternatively start the Services manager by typing the command from the Start Search box. This displays an icon that you can click to start the manager.

2.     In the right pane of the Services manager, look at the Remote Registry status. If it is "Started," you do not have to do anything.

        If it is not  "Started," double-click the setting name.

3.     In the dialog box, click Start, and then click OK.

 

Additional steps on Windows XP targets

If you are scanning Windows XP targets, you must perform additional steps so that Nexpose can communicate with the firewalls for these assets:

·      disabling Protect all network connections

To make sure that the firewall is not enabled...

1.     Click Start, open the Run dialog box, and type gpedit.msc to start Windows Group Policy Editor.

        OR

        Type the gpedit.msc command in the Start Search box and then click the icon to start Windows Group Policy Editor. See Opening the firewall in a stand-alone environment.

2.     In the left pane of Group Policy Editor, go to Local Computer Policy | Administrative Templates | Network | Network Connections.

3.     Look at the state of the setting Protect all network connection to verify that the state is "Disabled." If it is, you do not have to do anything else.

 

Additional steps on Windows Vista targets

If you are scanning Windows Vista targets, you must perform additional steps so that Nexpose can communicate with the firewalls for these assets:

·      making sure the setting Prohibit use of Internet connection firewall on your DNS domain network has a "Disabled" or "Not configured" state

·      turning off User Account Control

To make sure that the firewall is not enabled...

1.     Click Start, open the Run dialog box, and type gpedit.msc to start Windows Group Policy Editor.

        OR

        Type the gpedit.msc command in the Start Search box and then click the icon to start Windows Group Policy Editor. See the topic Opening the firewall in a stand-alone environment.

2.     In the left pane of Group Policy Editor, go to Local Computer Policy | Administrative Templates | Network | Network Connections.

3.     Look at the state of the setting Prohibit use of Internet connection firewall on your DNS domain network to verify that the state is "Not configured" or "Disabled." If it is, you do not have to do anything else.

        If the state is "Enabled," double-click the setting. In the dialog box for that setting, click the Disabled or Not configured option button, and then click OK.

To turn off User Account Control...

1.     Click Start, and then select Control Panel.

2.     Click the link User Accounts and Family Safety.

3.     Click the link Turn User Account Control on or off.

4.     Click User Accounts

        If the check box for turning on User Account Control is selected, clear the check box, and click OK. If it is not selected, you do not have to do anything and can click Cancel.

        If you change this setting, you will have to restart Windows.

 

Additional steps on Windows 7 targets

If you are scanning Windows7 targets, you must perform additional steps so that Nexpose can communicate with the firewalls for these assets:

·      making sure the setting Prohibit use of Internet connection firewall on your DNS domain network has a "Disabled" or "Not configured" state

·      turning off User Account Control

·      disabling certain user rights restrictions

To make sure that the firewall is not enabled...

1.     Click Start, open the Run dialog box, and type gpedit.msc to start Windows Group Policy Editor.

        OR

        Type the gpedit.msc command in the Start Search box and then click the icon to start Windows Group Policy Editor. See the topic Opening the firewall in a stand-alone environment.

2.     In the left pane of Group Policy Editor, go to Local Computer Policy | Administrative Templates | Network | Network Connections.

3.     Look at the state of the setting Prohibit use of Internet connection firewall on your DNS domain network to verify that the state is "Not configured" or "Disabled." If it is, you do not have to do anything else.

        If the state is "Enabled," double-click the setting. In the dialog box for that setting, click the Disabled or Not configured option button, and then click OK.

To turn off User Account Control...

1.     Click Start, and then select Control Panel.

2.     Click the link User Accounts and Family Safety.

3.     Click the link Turn User Account Control on or off.

4.     Click User Accounts

        If the check box for turning on User Account Control is selected, clear the check box, and click OK. If it is not selected, you do not have to do anything and can click Cancel.

        If you change this setting, you will have to restart Windows.

To turn off User Rights Assignment Restrictions…

1.     Click Start, open the Run dialog box, and type gpedit.msc to start Windows Group Policy Editor.

        OR

        Type the gpedit.msc command in the Start Search box and then click the icon to start Windows Group Policy Editor. See the topic Opening the firewall in a stand-alone environment.

2.     In the left pane of Group Policy Editor, go to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment.

3.     Look at the state of the setting Deny access to the computer from the network to verify that the field only contains “Guest.” If there are other users in the list, please remove them.

4.     Look at the state of the setting Deny log on as a batch job to verify that the field is empty. If there are any users in this list, please remove them.

5.     Look at the state of the setting Deny log on as a service to verify that the field is empty. If there are any users in this list, please remove them.

 

Statement of SCAP Implementation

Nexpose complies with Security Content Automation Protocol (SCAP) criteria for the Federal Desktop Core Configuration (FDCC) Scanner, the United States Government Configuration Baseline (USGCB) scanner for Windows 7, the Unauthenticated Vulnerability Scanner, and the Configuration Scanner. SCAP is a collection of standards for expressing and manipulating security data in standardized ways. It is mandated by the U.S. government and maintained by the National Institute of Standards and Technology (NIST).

This appendix provides information about how Nexpose implements the following SCAP standards:

·         The Common Platform Enumeration (CPE) naming scheme, based on the generic syntax for Uniform Resource Identifiers (URI), is a method for identifying operating systems and software applications.

·         The Common Vulnerabilities and Exposures  (CVE) standard prescribes how the product should identify vulnerabilities, making it easier for security products to exchange vulnerability data.

·         The Common Vulnerability Scoring System (CVSS) is an open framework for calculating vulnerability risk scores.

·         The Common Configuration Enumeration (CCE) provides unique identifiers for security-related system configuration issues.

·         The Open Vulnerability and Assessment Language (OVAL) includes a language used to encode system details and an assortment of publicly-available content repositories that use the language.

·         The eXtensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related documents.

 

Statement of CVE Implementation 

When Nexpose populates its scan database with information about discovered vulnerabilities, it applies Common Vulnerabilities and Exposures (CVE) identifiers to these vulnerabilities whenever these identifiers are available.

You can view CVE identifiers on vulnerability detail pages in the Nexpose Security Console Web interface. Each listed identifier is a hypertext link to the CVE online database at nvd.nist.gov, where you can find additional relevant information and links for vulnerabilities.

You can search for vulnerabilities in the Nexpose Web interface by using CVE identifiers as search criteria.

CVE identifiers also appear in the Discovered Vulnerabilities sections of Nexpose reports.

Nexpose uses the most up-to-date CVE listing from the CVE mailing list and changelog. Since Nexpose always uses the most up-to-date CVE listing, it does not have to list CVE version numbers. Nexpose updates its vulnerability definitions every six hours through a subscription service that maintains existing definitions and links and adds new ones continuously.

 

Statement of CCE Implementation  

To keep current with changes to the NIST Common Configuration Enumeration (CCE) dictionary, Nexpose automatically includes any new CCE data in each content update. As policies are imported into Nexpose, it maps CCE names onto relevant policy checks.

Nexpose displays a Configuration Policy Listing table on every scanned asset's information page. You can click the link for any listed policy to see a list of rules associated with that policy. Then you can click the link for any listed rule to see a page that provides information about that rule, including its CCE data. You can click the CCE identifier link on the rule page to view all CCE-related information for that rule. See the topic Accessing CCE Information.

Nexpose includes a new version of the CCE database with every content update. This update provides users with the new CCE identifiers that have been released as part of the newly release CCE database.

 

Statement of CPE Implementation  

During scans, Nexpose utilizes its fingerprinting technology to recognize target platforms and applications. After completing scans and populating its scan database with newly acquired data, Nexpose applies Common Platform Enumerator (CPE) names to fingerprinted platforms and applications whenever corresponding CPE names are available.  At the conclusion of every scan, Nexpose maps the discovered platform or application to a known CPE.

Within the Nexpose database, CPE names are continually kept up to date with changes to the National Institute of Standards (NIST) CPE dictionary. With every revision to the dictionary, Nexpose maps newly available CPE names to application descriptions that previously did not have CPE names.

Nexpose displays CPE names in scan data tables in the Nexpose Security Console Web interface. You can view these names in listings of assets, software, and operating systems, as well as on pages for specific assets. CPE names also appear in Nexpose reports in the XML Export format.

 

Statement of CVSS Implementation   

For every vulnerability that it discovers, Nexpose computes a Common Vulnerability Scoring System (CVSS) Version 2 score. In the Nexpose Security Console Web interface, each vulnerability is listed with its CVSS score. You can use this score, severity rankings, and risk scores based on either temporal or weighted scoring models—depending on your configuration preference—to prioritize vulnerability remediation tasks.

Nexpose incorporates the CVSS score in the PCI Executive Summary and PCI Vulnerability Details reports, which provide detailed Payment Card Industry (PCI) compliance results. Each discovered vulnerability is ranked according to its CVSS score. Rapid7 is an Approved Scanning Vendor (ASV); and Nexpose is a Payment Card Industry (PCI)-sanctioned tool for conducting compliance audits. CVSS scores correspond to severity rankings, which ASVs use to determine which determine whether a given asset is compliant with PCI standards.

Nexpose also includes the CVSS score in report sections that appear in various report templates. The Highest Risk Vulnerability Details section lists highest risk vulnerabilities and includes their categories, risk scores, and their CVSS scores. The Index of Vulnerabilities section includes the severity level and CVSS rating for each vulnerability.

The PCI Vulnerability Details section contains in-depth information about each vulnerability included in a PCI Audit (legacy) report. It quantifies the vulnerability according to its severity level and its CVSS rating.

 

Statement of OVAL Implementation  

During a scan with policy checks, Nexpose dynamically imports Open Vulnerability and Assessment Language (OVAL) content that has been referenced by an XCCDF policy. Nexpose converts the OVAL definitions into an internal format that it uses to evaluate the target asset. The results of each policy check are displayed in the full OVAL Results format, which you can access from the Configuration Policy Listing table on every scanned asset's information page. See the topic Accessing OVAL Information. Each policy has an associated OVAL result view of the specific asset in Extensible Markup Language (XML) and comma-separated value (CSV) formats.

You can see a list of all the OVAL files that have been imported into Nexpose on the SCAP page, which you can access from the Administration page in Nexpose Security Console Web interface. You can download and view the contents of any OVAL file by clicking the link for its name.

 

Statement of XCCDF Implementation

Nexpose imports eXtensible Configuration Checklist Description Format (XCCDF) benchmarks and converts them to Nexpose policy checks, which you can add to scan templates.

After you run a policy scan, you can access XCCDF data by creating a report in one of the following formats.

 XCCDF Results XML Report provides information about compliance tests for individual FDCC configuration policy rules. Each report is dedicated to one rule. Initial sections of the XML output include details about the rule itself. The remainder of the output includes data about the results. If any results were overridden, the output identifies the most recent override as of the time the report was run.

XCCDF Human Readable CSV Report provides test results on individual assets for compliance with individual FDCC configuration policy rules. If any results were overridden, the output lists results based on the most recent overrides as of the time the output was generated.

To create a Nexpose report, click the Reports tab on the Web interface. In the General page of the Reports Configuration panel, enter a name and description for the report and choose a format. Then, in the Scope page, select the scanned assets that you want to report on. For the XCCDF Human Readable CSV Report, you can only select one asset at a time. After configuring the report, click Save in the Report Configuration panel. Download the new report instance. If it’s in CSV format, you can view it in a spreadsheet program.