Configure source ip for Nessus daemon on Windows

Nessus from Tenable Network Security is an invaluable tool for vulnerability scanning. As a windows-only shop, we were very pleased that Nessus would run on a Windows platform. For our configuration, we have a server sitting outside of our firewall with multiple public IP addresses. We configured firewall policies for the system’s primary IP address to allow it necessary access into our environment and from our management subnet to the device. That means we needed a different IP address to use for scanning so it can be subject to the standard rules that apply to all external traffic.

In *nix environments, the Nessus daemon has a command line switch that forces the scanner to use a specific source IP for scans (this is different than the “listen address” which is used by remote clients to connect to the scanner – that setting can be configured in nessusd.conf). Unfortunately, the nessus-service.exe called by the Windows Service does not pass command line parameters to the nessusd process.

Not to worry, our old friend srvany comes to the rescue (note that srvany only works on Windows 2000/2003/XP). Perform the following steps:

  1. Stop the Nessus service
  2. Copy the srvany.exe executable to C:\Program Files\Tenable\Nessus
  3. Modify the ImageName value under HKLM\SYSTEM\CurrentControlSet\Services\Tenable Nessus to C:\Program Files\Tenable\Nessus\srvany.exe
  4. Add a Parameters key under HKLM\SYSTEM\CurrentControlSet\Services\Tenable Nessus
  5. Add a REG_SZ value named Application with the following value (replace <ip_address> with the IP you want the scanner to use for scans):
    C:\Program Files\Tenable\Nessus\nessusd.exe -S <ip_address>
  6. Start the Nessus service.

Happy scanning!