Using Manufacturer Information For Automatic Dynamic Asset List Creation

We've blogged in the past about how the Security Center can use any data obtained by Nessus or the Passive Vulnerability Scanner to automatically classify a host into one or more political or technical asset lists. Information gathered by the 13,000+ Nessus scanning, patch auditing and compliance checks and the 3000+ Passive Vulnerability Scanner plugins can be used to automatically find and categorize your networks and systems by Windows domain, installed software, location on the network and so on.

With the recent introduction of the "Computer Manufacturer Information" Nessus check (plugin ID #24270), it is now possible to use this information to classify your Windows assets based on hardware manufacturer information. This blog entry shows what sort of data can be obtained by this plugin and how it can be used to create lists of existing Dells, HPs and ThinkPads, as well as existing portable, tower, rack mount and other types of systems.

Computer Manufacturer Information Example

Plugin #24270 can query the remote Windows device and ask it which manufacturer made it, the model of the unit and what sort of type it is. Let's look at two examples:

Computer Manufacturer : Dell Inc.
Computer Model : Latitude D820
Computer Type : Portable

Computer Manufacturer : Dell Computer Corporation
Computer Model : Dimension 8200
Computer Type : Mini Tower

This text comes from two scans against a laptop and an older tower. The plugin provides information on the manufacturer and the specific vendor computer model. Both of these values are controlled by the manufacturer.

The type indicates the physical form factor of the device and can have the following values:

• All in One
• Bus Expansion Chassis
• Desktop
• Docking Station
• Expansion Chassis
• Hand Held
• Laptop
• Low Profile Desktop
• Lunch Box
• Main System Chassis
• Mini Tower
• Notebook
• Other
• Peripheral Chassis
• Pizza Box
• Portable
• Rack Mount Chassis
• Sealed-Case PC
• Space-Saving
• Storage Chassis
• SubChassis
• Sub Notebook
• Tower
• Unknown

Asset Classification

The Security Center can make use of the output from this plugin and automatically create dynamic asset lists based on the manufacturer or type. Below is a screen shot of a basic rule that matches the word "Dell" as a manufacturer:

Each time Nessus performs a scan of this plugin, with the above dynamic asset rule, the Security Center will automatically create a list of all "Dell" computers.

Any of the information in this plugin can be used to create a dynamic asset list.  With this plugin and Security Center,  it is very trivial to scan a network with credentials and create lists for many different items such as unique manufacturers, unique device types and specific deployed models .

Security, Compliance and IT Management Implications

Being able to categorize assets based on manufacturer, model and type can have a variety of implications for IT monitoring. These include:

• Discovering manufacturers which have been purchased against corporate acquisition policies. For example, you might be an "HP" shop. If so, why are there a few "Dell" laptops in the network?
• Remotely identifying if a device is a mobile device or not. Laptops, hand-helds and even mini-towers can be easily moved. Being able to determine what a device actually is without physically touching it is very valuable.
• Having the ability to identify just the models from a specific IT purchase or from a recent merger/acquisition is also extremely useful. Occasionally, a computer vendor will ship computer units with different default Windows settings, different BIOS settings, hardware that requires replacing and so on.
• Rapid counting of assets. Being able to scan with Security Center or Nessus and then quickly report on the number of unique manufacturers, number of laptops, specific model counts is very valuable to IT.

For More Information

Tenable has released this plugin under the Nessus Registered Feed. It is released for Nessus 3 as a .nbin file and makes use of Tenable's implementation of agentless WMI technology. Users who wish to write their own WMI queries for Nessus should consider the current Nessus 3.2 BETA which supports a library for rapid development and testing.