We hope you will check out our FreeScan tool. It's easy to get a quick snapshot of your security and compliance posture along with recommendations for effective fixes.
For a Patch Tuesday Scan and a SCAP Scan, we recommend using authentication with administrator privileges (Windows local or domain account). Authenticating to the target with login credentials allows the service to perform the most comprehensive scanning by taking a deeper look at your system and its configurations.
Tips for configuring a Windows domain account
If your Windows machine is joined to a Domain, you have the option to use a local administrator or a Windows domain administrator account. Please check your group policy settings to be sure they are configured to support scanning, as described below.
Network access: Sharing and security model for local accounts: Classic
Remote registry: Automatic
Windows Firewall: Automatic
For SCAP Scans:
Admin Approval Mode for the Built-in Administrator account: Disabled
Detect application installations and prompt for elevation: Disabled
Run all administrators in Admin Approval Mode: Disabled
Windows Firewall: Protect all network connections: Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your networking environment.
If Enabled, these settings are also required:
Windows Firewall: Allow remote administration exception: Enabled (1)
Windows Firewall: Allow file and printer sharing exception: Enabled (1)
Windows Firewall: Allow ICMP exceptions: Enabled (2)
(1) In the "Allows unsolicited messages from" field, enter "*" (do not enter quotes) or the IP address assigned to your scanner appliance(s) to be used for internal scanning. (2) This is optional for a vulnerability scan, and required for a compliance scan.
Verify Functionality of New Account
After configuring group policy settings, we recommend you verify the functionality of your new Windows domain account to confirm it is suitable for Windows authenticated scanning.
Select Run from the Start menu and enter cmd.exe and click OK.
Run this command to test administrative share access:
net use Z: \\<ip address>\C$ /USER:your_domain\qualys_scanner /PERSISTENT:no
Run this command to test registry access:
runas /user:your_domain\qualys_scanner "cmd /k reg.exe query \\<ip address>\HKLM\Software"
Note: There's a space after "query" and before "\\<ip address>"
Are you using QualysGuard?
Please see the QualysGuard online help for information.