2

I have developed different templates for local security policy. I have been using the program Nexpose to test the effects of those security policies but so far I am not able to detect the visible changes of policies on a vulnerability assessment tool. Can anyone guide me how can I measure the effect of local security policy with respect to security attacks?

I want to show USGCB compliance in Nexpose. I need to have a third party tool validation. Whenever I run the enterprise edition of Nexpose it gives me the vulnerabilities, not the policy auditing/compliance. Since I am a noob in the tool and the forums for rapid7 community are not available, can you tell me what steps should I take for getting policy compliance of any particular system in local network running Windows 7?

Summayya Shahzad
  • 21
  • 2

1 Answers1

1

Windows Group Policies control many different aspects of a running machine. I'm not sure there could be a single way to test the breadth of what a policy could cover.

My approach is to define a test for each policy component (that can be tested) and use whatever tool is appropriate to execute that test. Sometimes that tool can be a script (Powershell, Python, etc.), a packaged tool (Nexpose, metasploit, etc.) or a manual test (click here then there, etc.).

The idea is to treat the security policy like a software development project and to use the concept of "unit testing". Each new "function" needs to be tested for expected behaviour (does it do what I'm asking it to do?) and for unexpected behaviour (what happens when I modify the inputs it controls?). These tests are documented and the results saved. When I make a change to the policy, I re-run the tests and add whatever new tests are appropriate. In this way, I can prove that the policy is effective, and I have evidence for Change Management and Auditors (when applicable). I rest easy knowing that I am not "hoping for the best" when I set a policy.

Having this documented test process also means that when a security incident happens, I can rule out the demonstrated behaviour of the policies and look for ways that the incident occurred despite the successful running of the policy (in other words, I can ask, "if everything worked, how could this have happened?"). Or I know where a policy can fail and I can design mitigating processes to make up for the weaknesses in the policy.

By the way, I use the same process for firewall rules.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I want to show USGCB compliance in nexpose. I need to have a third party tool validation. whenever I run the enterprise edition it gives me the vulnerabilities not the policy auditing/compliance. Since I am a noob in the tool and the forums for rapid7 community is not available. can you tell me what steps should i take for getting policy compliance of any particular system say running windows 7? – Summayya Shahzad May 29 '15 at 21:24
  • @SummayyaShahzad you need to edit your question to include all these details. – schroeder May 29 '15 at 21:26
  • Microsoft has a baseline configuration tool that you could use. – schroeder May 29 '15 at 21:27
  • @schroeder - Having scripts to audit settings is very cool. Are they available somewhere? Github? – user2320464 May 29 '15 at 23:03
  • @user2320464 they aren't public because they are custom to each environment and each policy and machine. – schroeder May 29 '15 at 23:13