Link to home
Start Free TrialLog in
Avatar of ServerNotFound
ServerNotFoundFlag for United States of America

asked on

Nessus scan - TLS/SSL errors on servers

We have Nessus scans running against all servers as part of security and compliance.

This is causing a lot of TLS/SSL errors on the servers every week.

More info on the setting in Nessus causing this: https://discussions.nessus.org/message/24142#24142

Is there any way to add the Nessus servers to a 'safe list' so that they will not flood the event logs of servers every week when these scans are run?
Avatar of btan
btan

the tls ssl errors are really due to the crypto negotiation stating servers does not have that "capability" to do that exchange and causing error to form, ideally we should really go into having the server has the appropriate crypto support as shared here, but there can be legacy system that you want to scan but taken these SChannel errors as expected and accepted the risk (not really good but balanced out as user).

Maybe it ie better than to disable the plugin (see from forum) instead trigger all these alert since it expected and should not be that of high risk and other vulnerability is more important and safeguarding the servers as not to DoS them inadvertently.

We were able to resolve most of the schannel events by rejecting the following plugins:  21643, 35297, 56984, 62563, 62564.
Avatar of ServerNotFound

ASKER

Unfortunately we cannot disable any of the plugins.  We actually are not using most of the ones listed.  We cannot disable the SSL cipher scanning as this is part of a security compliance definition.
You should silence SSL server log by masking out particular scan error (making sure you are not vulnerable)
If that is the case, then the server end has to be not "noisy" then. You can try this then

Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: EventLogging
Data Type: REG_DWORD
Note After you add this property, you must give it a value. See the table in the "Logging options" section to obtain the appropriate value for the kind of events that you want to log.

Value      Description
0x0000      Do not log
0x0001      Log error messages
0x0002      Log warnings
0x0004      Log informational and success events

If you see also DCOM error with Schannel errors, then can try in Group Policy Editor (run: gpedit.msc),  went to Computer Configuration > Administrative Templates > System > Distributed COM > Application Compatibility and enabled "allow local activation security check exemptions"
These options would disable ALL errors of this kind.  

We would still want to have errors when the source was something other than the the Nessus servers.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yp if you install snare or sort of log agent to pipe the event over to log server for aggregation. from windows perspective, the event log will likely still be available even with log piped though unlikely probably the norm network device etc. I maybe wrong though but the intent for log server is correlate and for some storage for a longer term