Isolating vulnerable systems
We have a windows server (we'll call it ServerA) that has a critical vulnerability. For the next few months, we cannot patch this system. I was thinking about this. The only two systems that need to access this system are ServerB and the vulnerability scanner.
I was thinking about using Windows firewall to allow traffic from ServerB to ServerA over the specific TCP port it needs. This seems easy enough. My confusion is, how do I allow this for the vulnerability scanner? I think would need to allow all ports, but then I'm allowing the scanner full access to the system. Not sure that makes sense
The other thing I thought of was creating an ACL on the L3 switch that only allows traffic with those source addresses to ServerA, but network management doesn't seem to want to be bothered with that
How would you all isolate this?
I was thinking about using Windows firewall to allow traffic from ServerB to ServerA over the specific TCP port it needs. This seems easy enough. My confusion is, how do I allow this for the vulnerability scanner? I think would need to allow all ports, but then I'm allowing the scanner full access to the system. Not sure that makes sense
The other thing I thought of was creating an ACL on the L3 switch that only allows traffic with those source addresses to ServerA, but network management doesn't seem to want to be bothered with that
How would you all isolate this?
Comments
-
yoba222
Member Posts: 1,237 ■■■■■■■■□□
Run a credentialed scan on the vulnerable machine, where you create a Windows account that has read-only credentials and then use these credentials in the scan. One alternative might be to put a scanning agent on the Windows machine if your scanner supports that. That way you can really ratchet down on open ports like you mentioned.A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
mnashe
Member Posts: 136 ■■■□□□□□□□
Not sure I follow this. The scan is a credential scan, but the windows account that is used with the scan is a "domain admin". How does one create a read-only windows account? -
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
Which scanner? Is it possible to install a scanner locally? I am not sure exactly why you even care about scanning the system if you cannot patch it.
You could open all ports specifically coming from the vulnerability scanner system too. -
mnashe
Member Posts: 136 ■■■□□□□□□□
TechGuru80 wrote: »Which scanner? Is it possible to install a scanner locally? I am not sure exactly why you even care about scanning the system if you cannot patch it.
You could open all ports specifically coming from the vulnerability scanner system too.
Scanner is Nessus. I care about scanning because the critical vuln that I'm talking about requires an upgrade to the application, which cant be done for a few months. We are able to resolve other vulnerabilities that may exist
I can probably install a scanner locally, if thats the best option. I'm just trying to figure out what is best practice for isolating this system, meaning is it better to use a host based firewall or isolate it using network ACLs
I guess I can open all ports to the scanner to. We'll possibly find more vulnerabilities that way.
What I'm not following is the comment of credential scans. If I use a credential scan, it still won't work if I don't allow the scanner through the host firewall -
joneno
Member Posts: 257 ■■■■□□□□□□
Because there's a vulnerability doesn't mean it would be exploited, carry out a risk assessment before you go on with applying whatever controls (ACLS, Firewall)you're thinking about.
A simple control could also be for management to accept the risk knowing you're upgrading the system soon.