Problem solve Get help with specific problems with your technologies, process and projects.

Properly analyzing your Windows server vulnerability scan results

Not everything picked up by a vulnerability scan is as critical as some would have you believe. In fact, a lot of it can be taken with a big grain of salt.

In this era of PCI DSS and heightened audit requirements, you're likely looking at your Windows servers in a new light – a big, bright spotlight that is.

Using specialized vulnerability scanners such as QualysGuard or GFI LANguard, you can look at your Windows servers from every perspective to find the low-hanging fruit and more obscure weaknesses that can be exploited.

Did you know?

The type of testing you choose can dramatically impact server security.

Learn more:
Finding the best testing method for your Windows servers

But there's a dirty little secret about vulnerability scanning that vendors and auditors don't want you to know about. The fact is, many – if not most – of the findings your vulnerability scanners spit out are not as big of a deal as they're made out to be. Be it a vendor marketing trick or people trying to justify their jobs, you have to take the findings of your vulnerability scanners with a big grain of salt.

I think we're only kidding ourselves and creating more work when we look at a vulnerability scanner report and assume that just because everything looks bad that it actually is. Case in point: a client of mine was recently told by his outside auditor that all medium- and high-priority (levels 3 through 5) vulnerability scanner findings have to be remediated regardless of the situation. Seriously!?

Once a rarely-performed act requiring specialized skills, basic Windows server vulnerability scans are now a dime a dozen. Unfortunately these scans are often performed and interpreted by people who have very limited knowledge of operating systems, applications, and hacking techniques. It's sort of like a nurse interpreting the results of a CT scan or MRI and totally bypassing the expertise of a well-trained radiologist. We have to step out of this mindset that's leading to these amateurish "the sky is falling" audits, as it's really missing the big picture.

A best practice is to up the ante on the human context you bring to your Windows server security assessments. By doing so, you'll be able to:

  1. see what can actually be exploited – or reasonably lead to an exploit – by a malicious attacker
  2. find out what truly matters in your specific business environment
  3. determine which findings you need to focus your efforts on

Every scenario is different, but you can often count on the same vulnerabilities to create the greatest risks, as shown in Figure 1.

Figure 1. Windows server weaknesses that usually lead to trouble

These three vulnerabilities aren't always a problem though. They may be present on a development or quality assurance (QA) network segment that's inaccessible to the rest of the organization, or perhaps these weaknesses are on training servers which are not part of the Windows domain and house no production data. You have to dig in further to see what matters. Going beyond these common issues, I see businesses getting dinged for things like:

  • Guest and Administrator accounts not being renamed
  • Exchange servers accepting plain text SMTP login credentials
  • NetBIOS names being accessible over the network
  • Internet Information Services (IIS) configured to use NTLM authentication

The list goes on and on. But what do these items really mean? Are they actual vulnerabilities? Are they as a high-priority as the scanners and auditors make them out to be?

The important thing is to not be fooled. If you get a negative report from a vulnerability scanner, auditor, or outside consultant/security firm, be sure to ask how and why each thing matters in your environment. You can filter out the noise by applying the following questions to each of the findings:

  1. Is sensitive information such as personal identifiable information (PII) or intellectual property being put at risk?
  2. Is a written policy or regulation being violated?
  3. Can the weakness lead to further system penetration?

You have to be fair about these questions and give them the attention they deserve. You'll likely find that the majority of findings don't matter all that much in the grand scheme of things.

If and when you get your Windows servers really tightened down and can justify the time, there's nothing wrong with tweaking them to come up with a clean assessment report. Just use some common sense and reasonable discretion – two things we can certainly use more of in IT these days.

Kevin Beaver is an information security consultant, expert witness, seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. He has also authored/co-authored several books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at his website

Dig Deeper on Windows Server troubleshooting