cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

122
Views
0
Helpful
3
Replies
Beginner

Microsoft windows profiling

What is the best way of profiling machines running different version of Windows? Nmap sometimes give false positive and the user agent can also be modified.Dhcp probes /device sensor too is not helping that much or maybe am just missing something in there Just wondering what solution is out there without using an agent. Probably an attribute that distinguishes different  OS versions. It works fine for domain joined machine  but I am interested in knowing how others are addressing non domain PCs running microsoft windows.

 

Xtreme

3 REPLIES 3
VIP Engager

Re: Microsoft windows profiling

Yeah this a tough one.  As you said NMAP OS detection is unreliable.  The only reason the domain joined ones are correct is because the OS attribute is pulled from AD via the AD profiler. The only other reliable way I know of is doing posturing, but I am guessing performing posturing on these devices is not an option. 

 

I run across this a lot in the medical field.  The client will have Windows XP machines provided by a vendor doing a critical function in their network.

 

What issue are you trying to solve by knowing the OS?

VIP Engager

Re: Microsoft windows profiling

Just thought of one thing you could try.  You could possibly try an SMB NMAP probe against the machines to see if you can pull OS data that way.

Beginner

Re: Microsoft windows profiling

Thanks for the info Paul.  Am trying to block win 7 machines from gaining access in the future but need to identify them first. My concern with the SMB feature is that once NMAP is enabled it automatically start scanning all the unknown endpoints which can be resource intensive. I also know the Nmap scanning can be triggered when the device hit a specific profiling rules (generic microsoft rule).... is there a way to first disable the auto scanning ? so Nmap will only kick in when the profiling rule is matched.

 

Thanks for the response.

 

Xtreme