System and method for enabling remote registry service security audits

US 8,839,442 B2
Filed: 10/31/2012
Issued: 09/16/2014
Est. Priority Date: 01/28/2010
Status: Active Grant

First Claim

Patent Images

1. A computer system for enabling remote registry service security audits for a plurality of devices in a network having a remote registry service, comprising:

an active vulnerability scanner device configured to scan the network to detect a vulnerability in the network, wherein the active vulnerability scanner device is configured to;

identify at least one of the plurality of devices in the network that has disabled the remote registry service;

communicate an activation message to the at least one identified device, wherein the activation message enables the remote registry service on the at least one identified device;

interact with the enabled remote registry service on the at least one identified device to obtain registry information; and

communicate a deactivation message to the at least one identified device in response to obtaining the registry information, wherein the deactivation message disables the remote registry service on the at least one identified device.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method for enabling remote registry service security audits described herein may include scanning a network to construct a model or topology of the network. In particular, the model or topology of the network may include characteristics describing various devices in the network, which may be analyzed to determine whether a remote registry service has been enabled on the devices. For example, the security audits may include performing one or more credentialed policy scans to enable the remote registry service for certain devices that have disabled the remote registry service, auditing the devices in response to enabling the remote registry service, and then disabling the remote registry service on the devices. Thus, the system and method described herein may enable remotely scanning information contained in device registries during a security audit without exposing the device registries to malicious activity.

Citations

17 Claims

1. A computer system for enabling remote registry service security audits for a plurality of devices in a network having a remote registry service, comprising:
- an active vulnerability scanner device configured to scan the network to detect a vulnerability in the network, wherein the active vulnerability scanner device is configured to;
  
  identify at least one of the plurality of devices in the network that has disabled the remote registry service;
  
  communicate an activation message to the at least one identified device, wherein the activation message enables the remote registry service on the at least one identified device;
  
  interact with the enabled remote registry service on the at least one identified device to obtain registry information; and
  
  communicate a deactivation message to the at least one identified device in response to obtaining the registry information, wherein the deactivation message disables the remote registry service on the at least one identified device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer system of claim 1, wherein the activation message enables the remote registry service on the at least one identified device in response to the active vulnerability scanner device having at least one credential that controls whether the remote registry service can be modified on the at least one identified device.
  - 3. The computer system of claim 1, wherein the active vulnerability scanner device is further configured to:
    - interrogate the at least one identified device to determine whether the remote registry service has been disabled on the at least one identified device; and
      
      identify a potential vulnerability in the network in response to determining that the remote registry service has not been disabled on the at least one identified device.
  - 4. The computer system of claim 1, wherein the active vulnerability scanner device is further configured to identify a potential vulnerability in the network in response to determining that the active vulnerability scanner device lost connectivity to the network prior to obtaining the registry information from the at least one identified device.
  - 5. The computer system of claim 1, wherein the active vulnerability scanner device is further configured to identify a potential vulnerability in the network in response to determining that the active vulnerability scanner device was manually terminated prior to obtaining the registry information from the at least one identified device.
  - 6. The computer system of claim 1, further comprising a passive vulnerability scanner device configured to observe traffic travelling across the network to detect unauthorized attempts to enable or disable the remote registry service on the at least one identified device.
  - 7. The computer system of claim 1, wherein the active vulnerability scanner device is further configured to identify at least one of the plurality of devices that have disabled the remote registry service in response to determining that the at least one identified device runs an operating system having a default setting that disables the remote registry service.
  - 8. The computer system of claim 1, wherein the registry information obtained from the at least one identified device includes at least one of keys, values, file levels, patches, remote operating system versions, or system file locations described in registries associated with the at least one identified device.

9. A method of enabling remote registry service security audits for a plurality of devices in a network having a remote registry service, comprising:
- identifying, by an active vulnerability scanner device configured to scan the network, at least one of the plurality of devices in the network that has disabled the remote registry service;
  
  communicating an activation message from the active vulnerability scanner device to the at least one identified device, wherein the activation message enables the remote registry service on the at least one identified device;
  
  interacting with the enabled remote registry service on at least one identified device, using the active vulnerability scanner device, to obtain registry information; and
  
  communicating a deactivation message from the active vulnerability scanner device to the at least one identified device in response to the active vulnerability scanner device obtaining the registry information, wherein the deactivation message disables the remote registry service on the at least one identified device.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the activation message enables the remote registry service on the at least one identified device in response to the active vulnerability scanner device having at least one credential that controls whether the remote registry service can be modified on the at least one identified device.
  - 11. The method of claim 9, further comprising:
    - interrogating, by the active vulnerability scanner device, the at least one identified device to determine whether the remote registry service has been disabled on the at least one identified device; and
      
      identifying a potential vulnerability in the network in response to the active vulnerability scanner device determining that the remote registry service has not been disabled on the at least one identified device.
  - 12. The method of claim 9, further comprising identifying, by the active vulnerability scanner device, a potential vulnerability in the network in response to determining that the active vulnerability scanner device lost connectivity to the network prior to obtaining the registry information from the at least one identified device.
  - 13. The method of claim 9, further comprising identifying, by the active vulnerability scanner device, a potential vulnerability in the network in response to determining that the active vulnerability scanner device was manually terminated prior to obtaining the registry information from the at least one identified device.
  - 14. The method of claim 9, wherein the active vulnerability scanner device identifies at least one of the devices that have disabled the remote registry service in response to determining that the at least one identified device runs an operating system having a default setting that disables the remote registry service.
  - 15. The method of claim 9, wherein the registry information obtained from the at least one identified device includes at least one of keys, values, file levels, patches, remote operating system versions, and system file locations described in registries associated with the identified devices.

16. A non-transitory computer readable storage medium comprising a memory having instructions stored thereon for enabling remote registry service security audits for a plurality of devices in a network having a remote registry service, which instructions when executed by a processor cause the processor to implement:
- an active vulnerability scanner configured to;
  
  scan the network to detect a vulnerability in the network;
  
  identify at least one of the plurality of devices in the network that has disabled the remote registry service;
  
  communicate an activation message to the at least one identified device, wherein the activation message enables the remote registry service on the at least one identified device;
  
  interact with the enabled remote registry service on the at least one identified device to obtain registry information; and
  
  communicate a deactivation message to the at least one identified device in response to obtaining the registry information, wherein the deactivation message disables the remote registry service on the at least one identified device.

17. An active vulnerability scanner device comprising a processor, which when executing instructions stored in a memory of the active vulnerability scanner device, is configured to:
- scan a network to detect a vulnerability in the network;
  
  identify at least one of the plurality of devices in the network that has disabled the remote registry service;
  
  communicate an activation message to the at least one identified device, wherein the activation message enables the remote registry service on the at least one identified device;
  
  interact with the enabled remote registry service on the at least one identified device to obtain registry information; and
  
  communicate a deactivation message to the at least one identified device in response to obtaining the registry information, wherein the deactivation message disables the remote registry service on the at least one identified device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Deraison, Renaud
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US13/665,077
Publication Number

US 20140013436A1
Time in Patent Office

685 Days
Field of Search

None
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

System and method for enabling remote registry service security audits

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enabling remote registry service security audits

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links