IT cannot secure what it doesn't acknowledge. If IT does not uncover some vulnerabilities during testing, they...
will go unaddressed until someone else finds the problems and exploits them.
When an IT professional misses exploitable vulnerabilities on his network, he's a sitting duck. It's simply a numbers game. If there are enough undetected vulnerabilities on enough systems with enough gullible or careless users -- and it just takes one -- before too long, an incident or breach is inevitable.
As a result, Windows vulnerability scans must be a core component of any desktop security management program. In fact, if IT does not perform a Windows vulnerability scan properly -- or take it seriously -- it can result in failed security programs and catastrophes.
Don't just go through the motions
It's important to view a Windows vulnerability scan as more than just another box on a checklist. Get to know the tools.
Know user roles and how they'll affect the results of authenticated scans. Running authenticated scans as a standard domain user will result in vastly different outcomes than running them as a domain administrator. It's good to see it from both perspectives.
Quiz: Test your knowledge about authenticated vulnerability scanning
This vulnerability scanning quiz will test you on key points, including what systems get scanned and when, what prerequisites exist for a scan and what roles to scan.
IT can place limitations on scans -- no domain admin authentication allowed, for example -- and can qualify the findings with that information. If IT pros want to uncover the largest number of Windows flaws, they have to scan with domain -- or local -- administrator authentication.
Authenticated vs. unauthenticated vulnerability scans
IT must run a Windows vulnerability scan both with and without user authentication to find the most weaknesses. Anything less simply isn't enough.
Scanning without user authentication means IT runs the vulnerability scanner without logging into the Windows system and seeing what an outsider sees. A Windows vulnerability scan with user authentication shows what a trusted user sees and involves entering a valid username and password that enables the scanner to log into each Windows system and perform a more thorough scan of the computer.
The results of unauthenticated and authenticated scans differ greatly. As a result, it's good to alternate between the two.
For example, when running an unauthenticated Windows vulnerability scan, it's common to find the following predictable vulnerabilities:
- a relatively small number of missing Windows OS patches -- including the MS17-010 EternalBlue ransomware flaw, but rarely any other big ones;
- network shares that are accessible to anyone with a computer plugged into the network;
- weak Windows passwords; and
- File Transfer Protocol services enabled.
An authenticated Windows vulnerability scan presents an entirely different -- and uglier -- world. This level of scanning finds the items above and much more, including:
- Many additional missing Windows and Microsoft application patches, which attackers can easily exploit with tools such as Metasploit to gain full remote access.
- Missing third-party software patches in programs such as Adobe Reader, Java and Mozilla Firefox. These can create big problems on endpoints via zero-day malware attacks.
- Network shares any logged in users can access, which often expose a lot of unmonitored sensitive information.
- A weak Windows domain password policy, including no password complexity requirements or no intruder lockout.
Why so sloppy?
In other professions, the people using tools such as radon test meters and oscilloscopes are trained on their equipment. Some even have to be licensed or certified to use them in their work. That's not the case in IT and security. It's likely that most people performing vulnerability scans have never taken a class or had any formal training on how to properly do them.
Vendors want to make people think their tools are as simple as point and click, but for the most part, they aren't. There are tons of options that can work both for and against IT when it performs network discoveries, including selecting which scan policy to run and deciding how to report findings. The vulnerability scanning process is not simple, but many people treat it that way.
As long as IT knows all the variables in Windows vulnerability testing -- unauthenticated versus authenticated -- and reports on them so everyone's expectations are properly set, then things should be fine. IT must just be sure to vary its approach to ensure that it gets the most from its testing, and must look at its Windows systems from every possible angle, because that's what the bad guys are doing.