Vulnerability Management Pt. 1

We’ve established one thing I absolutely hate is inventory management, but with a few tricks up my sleeve it can become so much easier.  First, let’s look at device information, and what we’re missing.

Windows Management Instrumentation

Windows Management Instrumentation (WMI) is an amazing part of the Windows OS.  I’m amazed at the amount of information that can be pulled out of WMI, but also the number of IT Administrators out there that still don’t realize it’s there.  When I started moving into server administration WMI became an important part of my day to day operations.  After moving into Infosec, I use it just as much to gather information on domain systems that’s not readily available to help manage vulnerabilities.

In every talk I give on this topic, I seem to come back to the same classes for obtaining system information.

  • Win32_OperatingSystem
  • Win32_ComputerSystem
  • Win32_Process
  • Win32_Service
  • Win32_BIOS

Of these five Win32 classes, I pull the most information out of the OperatingSystem, BIOS, and ComputerSystem classes.

Putting it to work

The easiest way to get information out of WMI is with PowerShell’s Get-WMIObject cmdlet.  Example:


This will return specific information as it pertains to the computer system.  Take advantage of PowerShell’s pipeline to export the data to CSV,  export to Excel using Doug Finke’s Import Excel Module, or use PowerShell and COM.  In my case, I have a local SQL database installed, and will export to CSV and import the data.

To get the data out of the computers on your network via WMI, add the -ComputerName parameter.  When combining with the Get-ADComputer cmdlet, you will read the data from all the systems joined to the domain.  We’ll put that to use later on in this series.

For more information head over to the Win32 Provider’s MSDN Page.

Now the why

Although it sounds a bit cliche, it really is impossible to protect what is unknown.  This will allow admins to get back to some of the fundamentals of information security and gaining an understanding of what is on the network.  If there is one thing I’ve learned, even though I hate inventory, it is a great feeling being able to know what the impact is to the systems on my network when a new critical vulnerability is released.  Using PowerShell and WMI gives me the ability to understand what exists without having to rely on expensive tools to do it for me, and I’m able to transfer my scripts to any Windows domain I’m working with relative ease.

Experiment with the different WMI classes, and see what more useful information can be pulled.  In the next part in this series, we’ll start looking at how to track vulnerabilities uncovered as a part of the inventory process.

EYE H8 Inventory

For the first part of this multi-part series on vulnerability management we’re going to take a trip down memory lane.  There was a time when I worked retail, and was somewhat decent at it.  The one part I hated more than anything was managing the inventory, and the monthly checklists of going through the stock to discover there was an item that was a whopping 95 cents that I had to adjust for.  At that point in my life, I knew that retail job was going to be a stepping stone into computers, and I was able to escape.

What the hell?!?  The first thing they wanted me to do when I got onto the help desk was to take an inventory of all systems and compare the serial numbers and locations to what we had on site.  I thought I was escaping this life, but here I am again with a checklist working a swing shift trying to account for the inventory and making sure no one had walked off with it, or it wasn’t replaced with a different system not accounted for.

Now for the fun fact for the people out there like me that hate doing inventory tasks.  It’s really really super duper important when managing enterprise vulnerabilities.  If it’s not accurate, the group in charge of managing vulnerabilities is going to have a ton of difficulties, and nothing is ever going to get accomplished in a reasonable amount of time.  After having built vulnerability management programs, I have come to respect that inventory management process.

Vulnerability management is a passion of mine, and something that will be a constant topic on this site moving forward.  Without properly managing vulnerabilities on the network, Infosec and IT teams (where Infosec is not readily available) end up running in circles, and often have difficulties getting the buy in necessary to build security functions into their daily operations.  They can also end up being seen as crying wolf every time a new major vulnerability drops, and they need to stop everything to run out to get it patched with no metrics on impact and success rates.  We’ll get to the tracking part later, we gotta start small…

The upcoming part one of vulnerability management will be to look at ways to fingerprint the devices on your networks when you need to, even if you can’t get to the physical location where the equipment is stored using some scripts and network tools.  Once we know what we have, we can start looking for ways to keep tabs on them.