Not sure where Michael is getting his information. Many of the checks ISS performs require domain admin privileges on the device being scanned to provide accurate results. One reason Internet Scanner is not very efficient when used outside of a domain such as pen testing a DMZ.
We have tested and seen better results using a domain admin account. It really depends upon how your domain is configured and whether or not you lock down the local machines. We have problems with some units that remove Domain Admin users from the local Administrators group or change security on the Admin share.
I have had issues with indeterminate results. Look through the log files. You will find they are most likely false positives, responses from a firewall, lacking admin privileges, etc. I filter out indeterminate results in the analysis view of site protector.
Cheers,
Bill Payne
-----Original Message-----
From: Adam D [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 06, 2003 6:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ISSForum] Internet Scanner 7.0
Yes Bill, I realize that you must use the KnownAccounts file to add the
accounts. Supposedly you should get better results as an administrator
though, and we simply just aren't seeing it.
Also, what someone said about scan having to be ran from SP to feed fusion
is wrong. You can run scans from the local console (CLI or GUI interface)
and it will still feed fusion. But feeding fusion all the indeterminates
doesn't do much good.
Michael, you said that the tool wasn't originally intended to be ran as an
administrator. WHy does ISS reccomend scanning as an admin for best results
then? And were all of these checks that come back indeterminate designed to
come back indeterminate, or is it actually possible to get a definite
"Vulnerable" or "Not Vulnerable" from them? I am aware of system scanner,
but like you said, it does not feed fusion. Fusion was designed with
Internet Scanner to feed it, so why won't it do so?
Just a side not too on Michael's comment, if the updates are not applied
from SP then you will get an invalid policy format because the policies in
SP won't match up with Internet Scanner UNLESS the internet scanner box has
been re-installed on the same host name, in which case the initial xpu level
must be restored from the local internet scanner machine because SP will
only push an XPU to a given host once.
Is anyone else having indeterminate problems with Internet Scanner?????
Thanks for your help & comments, keep 'em coming.
>From: "Epperson, Michael" <[EMAIL PROTECTED]>
>To: "Adam Dyer" <[EMAIL PROTECTED]>,<[EMAIL PROTECTED]>
>Subject: RE: [ISSForum] Internet Scanner 7.0
>Date: Wed, 5 Nov 2003 14:42:03 -0600
>
_________________________________________________________________
MSN Messenger with backgrounds, emoticons and more.
http://www.msnmessenger-download.com/tracking/cdp_customize
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
