I run vulnerability scans with Symantec's Secure Fusion. I am trying to verify that the Policy & Controls listed in the xp firewall standard profile are correct based on the fdcc/usgcb registry settings (see below). I realize that GPO's can change what is seen on the xp box based on the domaingpo settings, etc.. I want to understand what is going on between xp registry and thefdcc/usgcb registry settings. I see the settings in Secure Fusion, the FDCC/USGCB settings, but when i look at an xp box, the registry settings are not there.....here is what i see:
Secure Fusion Definition:
Policy Statement:
Windows Firewall - Standard Profile
Control Name:
Allow remote administration exceptions( Disabled)
Control Description:
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote
administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to
receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned
ports, typically in the range of 1044 to 1044 but potentially anywhere from 1044 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as
Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept
remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy
setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445
include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. References: (CCE-2954-6)
Standard Profile: Allow remote administration exception (SP2 only)
(1) enabled/disabled
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop
CCE information:
CCE-2954-6: Platform: winxp Date: 2012-03-13 (M)2013-03-17
Standard Profile: Allow remote administration exception (SP2 only)
Parameter: (1) enabled/disabled
Technical Mechanism: Registry entryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop
OVAL Information:
Allow remote administration exceptions disable - Standard Profile
ID: oval:gov.nist.USGCB.xpfirewall:def:51041 Date: (C)2012-04-13 (M)2013-03-17
Class: COMPLIANCE Family: windows
USGCB Information:
Guidance for Securing Microsoft Windows XP Firewall
ID: xccdf_gov.nist_benchmark_USGCB-Windows-XP-firewall Date: (C)2011-11-11 (M)2013-03-17
Status: Version: v1.2.3.1
Platform: cpe:/o:microsoft:windows_xp Source: [http://alpha.nist.gov]
NIST Special Publication 800-68 has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 and SP3 systems with Windows Firewall.
So the low non-compliance percentage in Secure Fusion is due to the fact that the registry key does not exist for the scan to read and verify/change to disable, but the group policy admin templates on the machine lists it as disabled. yest no registry keys to validate it is disable4d
so can i assume if there is no registry key for this particular control, then the vulnerability does not exist, and the xp box passes the vulnerability scan?
or if the registry setting is not there, then the gpo has removed it, and then the vulnerability is not there and the vulnerability scan passes.
or is this an issue of the service pack 2 installation of the firewall in xp not putting in all the parameters listed in the fdcc/usgcb