Quick & dirty vulnerability assessment on Windows

Posted on by Andi Wirz

If you want to run a quick vulnerability assessment on a single Windows system, read the following article.

OpenScap

Update November 2022: OpenScap will not get any further updates for Windows – Therefore, please use the SCAP Compliance Checker (scroll down)

openscap/windows.md at maint-1.3 · OpenSCAP/openscap · GitHub

One of the applications I use is the command line tool OpenSCAP – for Windows client and server operating systems, download the latest msi installer from: https://github.com/OpenSCAP/openscap/releases

Run the setup and open “Windows Explorer” to go to the path where OpenScap has been installed: “C:\Program Files (x86)\OpenSCAP 1.3.4”

Optional: To make sure you do not have to install the executables on every single system, you can just copy the folder to a central location to reuse it later again on other systems.

SCAP content

To compare your system against the STIG (Security Technical Implementation Guides) standard, you have to download the STIG Benchmark file for your operating system.

Go to: https://public.cyber.mil/stigs/scap/

…and download the compressed file:

Copy the extracted XML file to the OpenScap directory:

Run the assessment

Open a “command pompt” as Administrator – change the directory to the OpenScap path and run the following command (use your downloaded XML file in the command!):

oscap xccdf eval –report report.html U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark.xml

Open the HTML report “report.html” and check each finding and remediate it if possible (depends on compatibility to other systems / system landscape / specific requirements / down Level compatibility / etc.)

SCAP Compliance Checker (fast & easy)

Another option is the SCAP Compliance Checker – Download “SCC 5.5 Windows” from: https://public.cyber.mil/stigs/scap/

Install the setup and run a scan (by default it checks against all available benchmarks):

When finished, you can review the findings and recommendations directly within the tool:

Stay safe…

Published by Andi Wirz

Subscribe
Notify of
guest
5 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Lee
Lee
July 14, 2022 4:06 pm

Hey,

Up first nice and comprehensive article. Often used it to show what scap is about to new users at a first glance.

However please note that OpenSCAP Support for Windows is “void” as of February 2022. See: https://github.com/OpenSCAP/openscap/blob/maint-1.3/docs/windows.md

As much as I love OpenSCAP, I wouldn’t recommend to create new workloads with it, soon or later in the future there will be some new features implemented in (Open)SCAP which won’t be ported back to OpenSCAP for Windows as I guess….

0
Reply
admin
Admin
admin
September 11, 2022 7:52 pm
Reply to  Lee

Thank you Lee!!!

0
Reply
Kiro
Kiro
February 4, 2022 2:14 pm

Hi Andi,
nice article but can you provide the full command as it looks like you’ve used as well some –skip options which are not mentioned in the text. I’m asking because I’ve tested oscap 1.3.6 on Windows Server 2016 and it failed. Did you test it only on windows 10 or as well on other OSs?
Thanks

0
Reply
Andi Wirz
Author
Andi Wirz
February 4, 2022 11:51 pm
Reply to  Kiro

Hi Kiro
I’ve only tested openscap on a Windows 10 machine. Meanwhile I prefer to use the SCAP Compliance Checker which is more simple, self explaining and 100% works on multiple OS.

0
Reply
Kiro
Kiro
February 5, 2022 9:20 am
Reply to  Andi Wirz

Hi Andi,
thanks for your answer, I will test the checker in this case as well on different Windows OSs, although to have 2 working solutions would be better.
Thanks

0
Reply