Recently I took over DIACAP testing on a few machines. The task of starting DIACAP testing may seem overwhelming when presented with the number of tests and findings you will need to complete. Thankfully, there have been some automated tools released to help aid the process and reduce the number of manual STIG findings that need to be done.
We have previously made a couple of posts about system hardening using Gold Disk and the lack of Gold Disk support in Windows 7. As we are still continuing our DIACAP work and running tests on Windows 7 machines as well as newer embedded operating systems, I wanted to talk a bit more about the previously mentioned E-Eye Digital Security’s Retina. While Retina is a tool with many features, I will be focusing on the Auditing and SCAP scanning functionality of the tool and some basic troubleshooting for embedded Operating Systems.
One of the benefits of using Retina to scan your systems is the ease of use when needing to run tests against multiple machines. Retina has the ability to take a set of IP addresses and begin a scan on all of the devices at once, as long as the same credentials are useable across the devices. This makes scanning domain based systems a simple task of setting the IPs and providing a domain administrator’s credentials. This remote network scanning also helps with scanning embedded systems that do not always allow software to be installed on the machines themselves.
Retina is able to perform IVAM testing on the systems for you based on a list of Information Assurance Vulnerability Alerts that are updated constantly. In our case, this meant that Retina could be used to complete scanning of the systems for missing updates and old .dll files that would normally be within an IVAM STIG of hundreds of findings. When needing to work on the DIACAP process for multiple machines this leads to huge time savings as you are not going through each machine by hand. On top of the IVAM, scanning that Retina does it also is able to do a general port scan to determine which system ports are currently open and vulnerable on the systems. While this testing alone is a huge help a bigger part is the SCAP testing it supports.
SCAP benchmarks are tools that help automate a portion of the STIGs to aid in testing and speed up the process. In the same way that Retina is able to perform IVAM, testing it is able to run the SCAP benchmarks on remote systems. One thing that was touched on previously was the problems running SCAP benchmarks against embedded systems. This is still true because of the check SCAP benchmarks run to verify that the Operating System matches the one specified in the test.
Thankfully, there is a work around for this that allows benchmark to run against the system. Within the Windows registry is a specific key checked to determine the operating system and proceed with the testing, by changing this to the appropriate value you are able to get the benchmarks to run. You will want to match the embedded OS to its equivalent OS. In the case of Windows Embedded Standard 7, you would be using Windows 7 based tests. The registry key in question is HKLM\SYSTEM\ Software\Microsoft\Windows NT\CurrentVersion Value Name: “Product Name.” By changing this key to state “Windows 7 Professional” you will be able to run the SCAP tests against the system. Sadly, there are false positives that occur with SCAP testing so the results need to be double-checked, but it at least gives a better idea of what you are going to find while going through testing.
One of the other issues with running scans against embedded systems is the lack of system services being installed. The key things needed to be able to run Retina properly are the ability to access the systems C$ admin share, being able to remotely load the systems registry, and proper login credentials. A general set of things to check to get this working would be to make sure that your devices are on the same network, the network adapter on the device has File and Network Sharing enabled as well as Client for Microsoft Networks installed, and that the Server and Remote Registry services are enabled. You will also need to verify that the Windows firewall is not blocking file and printer sharing and you may enable it specifically for a particular IP or subnet to limit access while the testing is in process. Keep in mind to document any changes that were required to get Retina working and to change them back afterwards.
While some of the setup required to run Retina may seem troublesome, especially on embedded systems where you will need to troubleshoot connectivity, the overall result of getting it working is incredibly helpful. With a working Retina Scanner you will be able to quickly rerun scans to verify that changes made to the systems are properly closing off vulnerabilities. After the initial time to find out how to get the scanner working for your systems, that setup may be replicated in the future to conduct quick benchmark testing on your machines to verify that software changes have not opened new vulnerabilities.