If you want to run a quick vulnerability assessment on a single Windows system, read the following article.
OpenScap
Update November 2022: OpenScap will not get any further updates for Windows – Therefore, please use the SCAP Compliance Checker (scroll down)
openscap/windows.md at maint-1.3 · OpenSCAP/openscap · GitHub
One of the applications I use is the command line tool OpenSCAP – for Windows client and server operating systems, download the latest msi installer from: https://github.com/OpenSCAP/openscap/releases
Run the setup and open “Windows Explorer” to go to the path where OpenScap has been installed: “C:\Program Files (x86)\OpenSCAP 1.3.4”
Optional: To make sure you do not have to install the executables on every single system, you can just copy the folder to a central location to reuse it later again on other systems.
SCAP content
To compare your system against the STIG (Security Technical Implementation Guides) standard, you have to download the STIG Benchmark file for your operating system.
Go to: https://public.cyber.mil/stigs/scap/
…and download the compressed file:
Copy the extracted XML file to the OpenScap directory:
Run the assessment
Open a “command pompt” as Administrator – change the directory to the OpenScap path and run the following command (use your downloaded XML file in the command!):
oscap xccdf eval –report report.html U_MS_Windows_10_V2R1_STIG_SCAP_1-2_Benchmark.xml
Open the HTML report “report.html” and check each finding and remediate it if possible (depends on compatibility to other systems / system landscape / specific requirements / down Level compatibility / etc.)
SCAP Compliance Checker (fast & easy)
Another option is the SCAP Compliance Checker – Download “SCC 5.5 Windows” from: https://public.cyber.mil/stigs/scap/
Install the setup and run a scan (by default it checks against all available benchmarks):
When finished, you can review the findings and recommendations directly within the tool:
Stay safe…
Hey,
Up first nice and comprehensive article. Often used it to show what scap is about to new users at a first glance.
However please note that OpenSCAP Support for Windows is “void” as of February 2022. See: https://github.com/OpenSCAP/openscap/blob/maint-1.3/docs/windows.md
As much as I love OpenSCAP, I wouldn’t recommend to create new workloads with it, soon or later in the future there will be some new features implemented in (Open)SCAP which won’t be ported back to OpenSCAP for Windows as I guess….
Thank you Lee!!!
Hi Andi,
nice article but can you provide the full command as it looks like you’ve used as well some –skip options which are not mentioned in the text. I’m asking because I’ve tested oscap 1.3.6 on Windows Server 2016 and it failed. Did you test it only on windows 10 or as well on other OSs?
Thanks
Hi Kiro
I’ve only tested openscap on a Windows 10 machine. Meanwhile I prefer to use the SCAP Compliance Checker which is more simple, self explaining and 100% works on multiple OS.
Hi Andi,
thanks for your answer, I will test the checker in this case as well on different Windows OSs, although to have 2 working solutions would be better.
Thanks