Proteggiamo il tuo ambiente digitale da qualsiasi attacco informatico. Sfrutta tutte le potenzialità della piattaforma SGBox!

Gallery

Contatti

Via Melchiorre Gioia, 168 - 20125 Milano

info@sgbox.it

+39 02 60830172

Linkedin Facebook-f Twitter

Search another article?

Created On
Print
You are here:
< Back

Qualys scan – with Windows authentication

This article describes how to configure Qualys Probe to monitor and perform vulnerability assessments on Windows servers with authentication.

Getting started

Using host authentication (trusted scanning) allows our service to log in to each target system during scanning. For this reason we can perform in depth security assessment and get better visibility into each system’s security posture. Running authenticated scans gives you the most accurate scan results with fewer false positives.

Do I have to use authentication?

For vulnerability scans, authentication is optional but recommended. For compliance scans, authentication is required.

Are my credentials safe?

Credentials are securely handled by the service and are only used for the duration of the scan.

In most cases, we do not modify or write to the device unless the user enables optional scan features Dissolvable Agent and Agentless Tracking and accepts the agreement regarding terms of use.

Dissolvable Agent: When enabled, we write the dissolvable agent file to the device and remove it when the scan is finished.
Agentless Tracking: When enabled, we write a host ID file to the device at the time of the first scan. Note – the Manager primary contact for the subscription can do a cleanup action to remove the host ID file from hosts at any time.
Cleanup Issues: In rare cases, if a scan terminates before cleaning up temporary files or the dissolvable agent, the files may persist. This generally should not occur.

Our security service uses credentials at the scan time to log in with elevated privileges and read security information from the target. Using the information collected, the scanner runs the largest number of security tests, checking the most settings and configurations. You’ll see this information gathered as part of your scan reports.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: Authentication Technologies Matrix

What login credentials are required? – Windows Clients and Servers

For VM: Administrator privileges are recommended for the most accurate security assessment and recommended fixes for your system.

For PC/SCA: Administrator privileges (Build-in administrator or ‘Domain Admins’ groups member account) are required. The administrator privileges are required in order for the compliance scan engine to validate settings on the operating system.

Using an account with administrator privileges allows us to collect information based on registry keys, administrative file shares (such as C$) and running services. For VM, it’s possible to use an account with less than administrator rights, however this limits scanning to fewer checks and scans will return less accurate, less complete results.

Windows uses an ACL-based approach. Each object (file, registry key) can have it’s own ACL listing the accounts that have specific types of access (read, write, etc.) to that object. We must have access to a few objects or authentication will fail, including “IPC%$” pipe, the registry API and others. Missing access rights will simply cause the corresponding vulnerability checks (QIDs) and compliance checks (controls) to fail. Most security checks require access to multiple objects and the detailed list can vary depending on operating system version, patch level, configuration settings, etc. The only way to know whether access is sufficient is by running a scan and reviewing the reported access failures.

Windows Domain Controllers

Only Domain Administrator accounts can be used to scan Domain Controllers. We suggest you create a domain account to be used for authentication and add the account to the Domain Administrators Group. There are certain Group Policy settings that we recommend as best practice for scanning Windows systems. See Windows Domain Account Setup to learn more.

If you have any security concerns running scans on Domain Controllers with Domain Administrator privileges, consider using Qualys Cloud Agent. To learn more about Cloud Agent, see the Qualys Cloud Agent Getting Started Guide.

What Authentication Schemes are used?

Our service will attempt to use authentication schemes on the target host from the most secure scheme to the least secure scheme. We support the following authentication schemes, from highest to lowest:

  1. Kerberos with AES-128/256
  2. Kerberos with RC4-128
  3. NTLMv2
  4. NTLMv1 (disabled by default, and you can enable it within a Windows authentication record)

Windows Domain Account Setup

This section describes how to create a domain account for authentication, how to add this account to the Domain Administrators Group, and how to set group policy settings. It is recommended that you verify the functionality of the account before using it for trusted scanning. If possible, configure the user account so that the password does not expire.

Create an Administrator Account

  1. Log into the Domain Controller with an account that has administrator rights.
  2. Open the Active Directory Users and Computers MMC snap-in.
  3. Create a new user called “qualys_scanner” (or something similar). Please do not use “qualys” as this account is reserved for use by Qualys and may get locked out during scanning.
  4. Select the “qualys_scanner” user and go to Properties (Action > Properties).
  5. In the Properties window, go to the “Member Of” tab. Click Add to add the “qualys_scanner” user to the “Domain Admins” group. Click OK to save the change.

Group Policy Settings

Best practice Group Policy settings for authenticated scanning of Windows systems are described below. Please consult your network administrator before making changes to Group Policy as changes may have an adverse impact on your network operations, depending on your network configuration and security policies in place. Note that detailed descriptions for many Group Policy settings listed below is available online when using the Group Policy Editor.

Important! We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. Qualys does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.

Security Options

Computer Configuration > Windows Settings ?> Security Settings > Local Policies > Security Options

  • Network access: Sharing and security model for local accounts > Classic
  • Accounts: Guest account status > Disabled (recommended)
  • Network access: Let Everyone permissions apply to anonymous users > Disabled (recommended)

System Services

Computer Configuration > Windows Settings > Security Settings > System Services

  • Remote registry > Automatic
  • Server > Automatic 
  • Windows Firewall > Automatic

Administrative Templates

Computer Configuration > Administrator Templates > Network > Network Connections > Windows Firewall > Domain Profile

  • Windows Firewall: Protect all network connections > Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your environment. If Enabled, 3 settings are required (below).
  • Windows Firewall: Allow remote administration exception > Enabled (1)
  • Windows Firewall: Allow file and printer sharing exception >  Enabled (1)
  • Windows Firewall: Allow ICMP exceptions > Enabled (2)

(1) In the “Allows unsolicited messages from” field, enter “*” (do not enter quotes) or the IP address assigned to your scanner appliance(s). (2) This is optional for a vulnerability scan, and required for a compliance scan.

Verify Functionality of the New Account (recommended)

After configuring group policy settings, we recommend you verify the functionality of your new Windows domain account to confirm it is suitable for Windows authenticated scanning.

Select Run from the Start menu and enter cmd.exe and click OK. Use the commands below to test administrative share access and registry access. Variables are enclosed in <>. You need to replace variables with appropriate values. For example replace <USER> with a username like jsmith (i.e. remove the brackets).

Run this command to test administrative share access:

net use Z: \<IP ADDRESS>C$ /PERSISTENT:no /USER:<DOMAIN><USER>

Run this command to test registry access:

runas /USER:<DOMAIN><USER> "cmd /k reg.exe query \<IP
ADDRESS>HKLMSoftware"

Note: There’s a space after “query” and before \<IP ADDRESS

WMI Service Configuration

Some of our compliance checks require secure access to WMI service to successfully perform compliance assessment. For this reason we recommend you to set the WMI service to run securely by increasing the authentication level to Packet Privacy.

We require high authentication level to scan the following namespaces and associated controls:

Namespace: rootcimv2securitymicrosofttpm
CID 11279 – Status of the ‘Trusted Platform Module (TPM)’ (Activated) on Windows
CID 11287 – Status of the ‘Trusted Platform Module (TPM)’ (Enabled) on Windows
CID 11288 – Status of the ‘Trusted Platform Module (TPM)’ (Owned) on Win

Namespace: rootCIMV2TerminalServices
CID 11478 – Current list of Groups and User Accounts granted the Remote Desktop Connection privilege

How to increase WMI authentication level

You need to run the following command on each host that you’ll scan for the above mentioned namespaces and controls.

winmgmt /standalonehost 6

Then restart the Winmgmt service

net stop winmgmt
net start winmgmt

For information on authentication levels see https://msdn.microsoft.com/enus/library/aa393972(v=vs.85).aspx

What happens when high level authentication is not provided?

You may see Insufficient Privileges or WMI query failures when scanning namespaces and controls that require high level authentication.

Sample error from Windows Authentication Report

Qualys scan – with Windows authentication

Manage Authentication Records (Steps for authenticated scans)

Once you have created the user on Windows Server for use with Qualys, please open a ticket with SGBox support via the ticketing portal, with the ticket subject Qualys scan – with Windows authentication, Please provide the following information in your ticket:

  1. Username of the account created for Qualys Scan.
  2. Domain name of the server where the account was created for Qualys Scan.
  3. IP address of the server that must be scanned.

Note: You must wait for SGBox Support, once it has received the ticket and taken charge of it, to confirm that it has correctly activated the configuration necessary for the next steps > Configure SGBox for the vulnerability assessments.

Configure SGBox for the vulnerability assessments

If you are already using SGBox to perform vulnerability scans, then simply go to SCM > Network > Assets.

  1. Create a new asset named “Qualys scan – with Windows authentication” (Optional) and group the Windows hosts that will be subject to VA within it.
  2. Assign in to the asset “Network Vulnerability Scanner” module.
  3. Assign in to the asset “User” that must see the asset.
  4. Assign in to the asset the policy named “AuthenticatedScan ALL (default)”.
  5. Save your changes.

Qualys scan – with Windows authentication

If this is the first time you are configuring Qualys Probe on SGBox, please follow the guide below for the configuration part: Configure a Qualys probe for SGBox