Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network. Examples of the sorts of checks that a credentialed scan can do include checks to see if the system is running insecure versions of Adobe Acrobat or Java or if there are poor security permissions governing a service. Information Security Office (ISO) runs Nessus scanners that are capable of running these credentialed scans; however, without accounts on the local machines, we are unable to use this functionality. With this in mind, ISO will create accounts on one of the Nessus scanners for departmental security administrators to do their own credentialed scans. In order to use the ISO scanners to perform a credentialed scan of a Windows system, the following settings are required by Nessus:
- The Windows Management Instrumentation (WMI) service must be enabled on the target.
- The Remote Registry service must be enabled on the target or the credentials used by Nessus must have the permissions necessary to start the remote registry service and be configured appropriately.
- File & Printer Sharing must be enabled on the system to be scanned.
- An SMB account must be used that has local administrator rights on the target. A non-administrator account can do some limited scanning; however, a large number of checks will not run without these rights. According to Tenable, the company behind Nessus, in Windows 7 it is necessary to use the Administrator account, not just an account in the Administrators group. ISO is currently in the process of testing this and looking for potential workarounds.
- Ports 139 (TCP) and 445 (TCP) must be open between the Nessus scanner and the computer to be scanned. Information on what IP block to open in the firewalls can be found here: What is the source network for security scans conducted by Information Security and Policy?
- Ensure that no Windows security policies are in place that blocks access to these services. Two common problems are the SEP configurations that block off the scanners even after the scanners is authenticated and a network access model that sets network access to "Guest only" permissions (see below for information on changing this).
- The default administrative shares (i.e. IPC$, ADMIN$, C$) must be enabled (AutoShareServer = 1). Since these are enabled by default and can cause other issues if disabled, this is rarely a problem.
To check if a system has a "Guest only" sharing and security model go to the Control Panel, open "Administrative Tools," and then "Local Security Policy". In that window go to Local Policies --> Security Options --> Network access: Sharing and security model for local accounts. On some Windows installations, this is set to "Guest only - local users authenticate as Guest" by default. If this is the setting on your box, you will need to change it to "Classic - local users authenticate as themselves".
PLEASE NOTE: Some of the settings above may, in some environments, actually decrease the security of a system. If this is the case, once the credentialed scan is performed, it is advisable to return the system to its previous state.