NESSUS VULNERABILITY SCANNER FOR AUTHENTICATED SCANS

Credentialed Checks on Windows

The process described in this section enables you to perform local security checks on Windows systems. Only Domain Administrator accounts can be used to scan Domain Controllers.

Configure a Domain Account for Authenticated Scanning

To create a domain account for remote host-based auditing of a Windows server, the server must first be Windows Server 2008, Server 2008 R2*, Server 2012, Server 2012 R2, Server 2016, Windows 7, Windows 8, or Windows 10 and must be part of a domain.

Create a Security Group called Nessus Local Access

1. Log in to a Domain Controller and open Active Directory Users and Computers.
   

1. To create a security group, select Action > New > Group.
   

1. Name the group Nessus Local Access. Set Scope to Global and Type to Security.
   

1. Add the account you will use to perform Nessus Windows Authenticated Scans to the Nessus Local Access group.
   

Create Group Policy called Local Admin GPO

1. Open the Group Policy Management Console.
   

1. Right-click Group Policy Objects and select New.
   

1. Type the name of the policy Nessus Scan GPO.
   

Add the Nessus Local Access group to the Nessus Scan GPO

1. Right-click Nessus Scan GPO Policy, then select Edit.
   

1. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
   

1. In the left navigation bar on Restricted Groups, right-click and select Add Group.
   

1. In the Add Group dialog box, select browse and enter Nessus Local Access.
   

1. Select Check Names.
   

1. Select OK twice to close the dialog box.
   

1. Select Add under This group is a member of:
   

1. Add the Administrators Group.
   

1. Select OK twice.
   

Nessus uses Server Message Block (SMB) and Windows Management Instrumentation (WMI). You must ensure Windows Firewall allows access to the system.

Allow WMI on Windows Vista, 7, 8, 10, 2008, 2008 R2, 2012, 2012 R2, and 2016 Windows Firewall

1. Right-click Nessus Scan GPO Policy, then select Edit.
   

1. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
   

1. Right-click in the working area and choose New Rule...​
   

1. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down box.
   

1. Select Next.
   

1. Select the check boxes for:
   

• Windows Management Instrumentation (ASync-In)
  

• Windows Management Instrumentation (WMI-In)
  

• Windows Management Instrumentation (DCOM-In)
  

1. Select Next.
   

1. Select Finish.
   

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User to reduce any risk for abuse of WMI.

Link the GPO

1. In Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
   

1. Select the Nessus Scan GPO.
   

Configure Windows 2008, Vista, 7, 8, and 10

1. Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
   

1. Using the gpedit.msc tool (via the Run prompt), invoke the Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer exception, and enable it.
   

1. While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain and ensure it is set to either Disabled or Not Configured.
   

1. The Remote Registry service must be enabled (it is disabled by default). It can be enabled manually for continuing audits, either by an administrator or by Nessus. Using plugin IDs 42897 and 42898, Nessus can enable the service just for the duration of the scan.
   

Note: Enabling this option configures Nessus to attempt to start the remote registry service prior to starting the scan.

The Windows credentials provided in the Nessus scan policy must have administrative permissions to start the Remote Registry service on the host being scanned.

Caution: While not recommended, Windows User Account Control (UAC) can be disabled.

Tip: To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to off. Alternatively, you can add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1.

This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if UAC is disabled, then EnableLUA must be set to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System as well.

Enable Windows Logins for Local and Remote Audits

The most important aspect about Windows credentials is that the account used to perform the checks should have privileges to access all required files and registry entries, which in many cases means administrative privileges. If Nessus is not provided the credentials for an administrative account, at best it can be used to perform registry checks for the patches. While this is still a valid method to determine if a patch is installed, it is incompatible with some third party patch management tools that may neglect to set the key in the policy. If Nessus has administrative privileges, then it will actually check the version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.

Configure a Local Account

To configure a stand-alone Windows server with credentials to be used that is not part of a domain, simply create a unique account as the administrator.

Make sure that the configuration of this account is not set with a typical default of Guest only: local users authenticate as guest. Instead, switch this to Classic: local users authenticate as themselves.

Configuring a Domain Account for Local Audits

To create a domain account for remote host-based auditing of a Windows server, the server must first be Windows 2000 Server, Windows XP Pro, or Windows 2008 Server and be part of a domain.

To configure the server to allow logins from a domain account, use the Classic security model. To do this, follow these steps:

1. Open the Start menu and select Run.
   

1. Enter gpedit.msc and select OK.
   

1. Select Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
   

1. In the list, select Network access: Sharing and security model for local accounts.
   

The Network access: Sharing and security model for local accounts window appears.

1. In the Local Security Setting section, in the drop-down box, select Classic - local users authenticate as themselves.
   

1. Click OK.
   

This will cause users local to the domain to authenticate as themselves, even though they are not physically local on the particular server. Without doing this, all remote users, even real users in the domain, will authenticate as a guest and will likely not have enough credentials to perform a remote audit.

Configuring Windows XP

When performing authenticated scans against Windows XP systems, there are several configuration options that must be enabled:

• The WMI service must be enabled on the target.
  

• The Remote Registry service must be enabled on the target.
  

• File & Printer Sharing must be enabled in the target’s network configuration.
  

• Ports 139 and 445 must be open between the Nessus scanner and the target.
  

• An SMB account must be used that has local administrator rights on the target.
  

You may be required to change the Windows local security policies or they could block access or inherent permissions. A common policy that will affect credentialed scans is found under:

Administrative Tools > Local Security Policy > Security Settings > Local Policies > Security Options > Network access: Sharing and security model for local accounts.

If this local security policy is set to something other than Classic - local users authenticate as themselves, a compliance scan will not run successfully.

Configuring Windows Server, Vista, 7, 8, and 10.

When performing authenticated scans against Windows systems, there are several configuration options that must be enabled:

• Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
  

• Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer exception and enable it.
  

• While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. This option must be set to either Disabled or Not Configured.
  

• Windows User Account Control (UAC) must be disabled, or a specific registry setting must be changed to allow Nessus audits. To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to Off. Alternatively, you can add a new registry DWORD named LocalAccountTokenFilterPolicy and set its value to “1”. This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAcc ountTokenFilterPolicy. For more information on this registry setting, consult the MSDN 766945 KB.
  

• The Remote Registry service must be enabled (it is disabled by default). It can be enabled for a one-time audit, or left enabled permanently if frequent audits are performed.