If you are reading this you may be undergoing a Cyber Essentials Plus audit, which requires you to undergo a credentialed patch scan, one of the products which can be used is Tenable Nessus.
Your Cyber Essentials certification body may have asked you to configure your environment in preparation for this, this is a requirement and failure to not have a successful credential patch scan will result in your audit failing.
This guide walks you through the process of configuring your environment in preparation for an audit. There are several parts to this configuration and this guide will concentrate using the group policy management tool as a way of configuring the environment. All the configuration settings can be added to the one Group Policy Object.
If you don’t have Active Directory, then you can configure all your machines locally using the Local Group Policy Editor functionality.
This guide also assumes that you are using the built in Windows firewall, if you are using another endpoint firewall such as that from your Antivirus vendor, then add exceptions accordingly.
The steps to configure the environment are as follows:
Create a domain user and group and name them accordingly, then make the new user is a member of the new group.
Expand your GPO and go to Computer configuration -> Windows Settings -> Security Settings -> Restricted Groups, right click and select ‘Add Group’ and select the group you have just created. This will open up the below screen, add the group, if its not already there then select the button Add button and add ‘builtin\administrators’.
Click OK to save.
Expand your GPO and go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network List Manager Policies. Select the network that are using within your business, by default this will be ‘Network’. Click on the ‘Network Location’ tab and then change the location type to ‘Private’.
Once changed, click ok to save.
Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security. In the right pane, expand Windows Firewall with Advanced Security until Inbound Rules visible. Right-click on it.
Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security. In the right pane, expand Windows Firewall with Advanced Security until Inbound Rules visible. Right-click on it.
Go to Computer Configuration -> Preferences -> Windows Settings -> Registry, right click on the right pane and select new -> registry item.
Click OK to save.
Go to Computer Configuration -> Preferences -> Control Panel Settings -> Services, right click on the right pane and select New -> Service.
And that’s it, once one wait for the changes to propagate around your environment. This will require a computer restart to take effect. You should then be ready for your certification body to perform a scan using Nessus.
