Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
3
Replies

Microsoft windows profiling

xtreme
Level 1
Level 1

‎09-29-2019 02:25 AM

What is the best way of profiling machines running different version of Windows? Nmap sometimes give false positive and the user agent can also be modified.Dhcp probes /device sensor too is not helping that much or maybe am just missing something in there Just wondering what solution is out there without using an agent. Probably an attribute that distinguishes different  OS versions. It works fine for domain joined machine  but I am interested in knowing how others are addressing non domain PCs running microsoft windows.

 

Xtreme

0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎09-30-2019 08:33 AM

Yeah this a tough one.  As you said NMAP OS detection is unreliable.  The only reason the domain joined ones are correct is because the OS attribute is pulled from AD via the AD profiler. The only other reliable way I know of is doing posturing, but I am guessing performing posturing on these devices is not an option. 

 

I run across this a lot in the medical field.  The client will have Windows XP machines provided by a vendor doing a critical function in their network.

 

What issue are you trying to solve by knowing the OS?

0 Helpful

paul
Level 10
Level 10
In response to paul

‎09-30-2019 08:34 AM

Just thought of one thing you could try.  You could possibly try an SMB NMAP probe against the machines to see if you can pull OS data that way.

0 Helpful

xtreme
Level 1
Level 1
In response to paul

‎09-30-2019 10:57 PM

Thanks for the info Paul.  Am trying to block win 7 machines from gaining access in the future but need to identify them first. My concern with the SMB feature is that once NMAP is enabled it automatically start scanning all the unknown endpoints which can be resource intensive. I also know the Nmap scanning can be triggered when the device hit a specific profiling rules (generic microsoft rule).... is there a way to first disable the auto scanning ? so Nmap will only kick in when the profiling rule is matched.

 

Thanks for the response.

 

Xtreme

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents