2

I want to conduct a technical security assessment on my company's client computers with focus on Windows 10.

So far, my idea is to execute several Powershell scripts on the clients and gather the results into one central point. For example, the Powershell scripts should analyze the current version of antivirus signatures, list the installed software or the local users.

In the end, I want to answer questions like "which clients have old versions of antivirus databases?", "which clients have unauthorised software installed?", "which clients have unauthorised local users?" etc. Also, I want to see trends, so I want to store the log files time-dependent.

What is the best way to analyze such log files? Do I need something like a Log Management tool or is it too much of a good thing? Or is there even existing software for that purpose? How would you try to solve the problem?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Daniel
  • 21
  • 1
  • 4
    This isn't really a security related question. You're basically asking how to analyse CSV data. Could you not just use a script to sum up the numbers? - Assuming since you're already talking PowerShell scripts you'd be capable of writing that. – Hector Dec 21 '17 at 09:55
  • 1
    What you are asking for is asset management and vulnerability management tools. There are a LOT to choose from. As for Powershell scripts, Github has many, many options. As for analysing and trending them, you also have a lot of options, but you are looking for "log aggregation" tools. Short answer is: people have been doing what you want to do for a long time and there are many mature options that should suit your needs. – schroeder Dec 21 '17 at 10:16
  • This question is really broad. Your "best way" is most likely very different from my "best way". Who are you presenting this data to? What change do you hope to put in place from it? There are a lot of other questions to answer before arriving at a best way to analyze these results. – baldPrussian Dec 21 '17 at 14:17

2 Answers2

1

It sounds to me like you want to do is a vulnerability scan. I know Nessus has the functionality to discern if virus definitions are out of date:

Nessus will generate a finding if the scan target has an Anti-Virus agent deployed with the virus detection rules out of date. We've often received feature requests asking us to allow customers to set a grace period (in days) to avoid generating this alert. Such a preference was added this week under the heading 'Antivirus Software Check':

Source: https://www.tenable.com/blog/keeping-anti-virus-in-check

I'm not advocating for or against Nessus as a vulnerability scanner, but this sounds like what you're searching for.

The powershell idea is good in theory, but pretty bad in practice. How can you be sure every workstation you're managing runs the script and reports successfully?

Mrdeep
  • 546
  • 4
  • 12
  • 1
    For your last point about powershell, this is easily done by knowing what boxes should be reporting in (asset management, pulled from the AD database, etc.) – schroeder Dec 21 '17 at 20:25
  • Hi. As far as I know, Nessus is suitable for checking a host from external (portscan, fingerprinting etc.), but not from internal view (version of installed software, local user accounts, uptime, available diskspace etc). I want to check the internal things. Maybe a combination from Nessus (or other Security Scanners) and Powershell (or other solutions..) is a good way to go. – Daniel Dec 22 '17 at 10:30
  • @Daniel Most vulnerability scanners can do "authenticated scans". They require a service account and are able to log on to machines and scan for vulnerabilities. That's how the antivirus check works. – Mrdeep Dec 22 '17 at 13:25
-1

Your approach is not the best. If you want your company windows 10 secure, buy and install one proper antivirus on them, make sure they have databases up to date. Enforce security options via domain controller like windows update and so on.

If it's not your company boxes, you should not trust them and limit their access to minimum, likely on separate LAN. This kind of approach is "normal".

Also, analyzing diverse set of boxes is very complex and hard to automate and there are no tools to do it.

When you have one antivirus on all the them, you have tool to control them from central console. If you have different antiviruses, then you dont have such control.

Aria
  • 2,706
  • 11
  • 19