FreeScan and Windows Domain Credentials for Authentication

Document created by Qualys Documentation Employee on Feb 4, 2013Last modified by Qualys Documentation Employee on Mar 1, 2013
Version 7Show Document
  • View in full screen mode

We hope you will check out our FreeScan tool. It's easy to get a quick snapshot of your security and compliance posture along with recommendations for effective fixes.

 

For a Patch Tuesday Scan and a SCAP Scan, we recommend using authentication with administrator privileges (Windows local or domain account). Authenticating to the target with login credentials allows the service to perform the most comprehensive scanning by taking a deeper look at your system and its configurations.

 

 

Tips for configuring a Windows domain account

If your Windows machine is joined to a Domain, you have the option to use a local administrator or a Windows domain administrator account. Please check your group policy settings to be sure they are configured to support scanning, as described below.

 

Security Options

Network access: Sharing and security model for local accounts: Classic

System Services

Remote registry: Automatic

Server: Automatic

Windows Firewall: Automatic

 

For SCAP Scans:

Admin Approval Mode for the Built-in Administrator  account: Disabled

Detect application installations and prompt for elevation: Disabled

Run all administrators in Admin Approval Mode: Disabled

Administrative Templates

Windows Firewall: Protect all network connections: Disabled (recommended) or Enabled. Your network administrator should decide on the best option for your networking environment.

 

If Enabled, these settings are also required:

Windows Firewall: Allow remote administration exception: Enabled (1)

Windows Firewall: Allow file and printer sharing exception: Enabled (1)

Windows Firewall: Allow ICMP exceptions: Enabled (2)

 

(1) In the "Allows unsolicited messages from" field, enter "*" (do not enter quotes) or the IP address assigned to your scanner appliance(s) to be used for internal scanning. (2) This is optional for a vulnerability scan, and required for a compliance scan.

Verify Functionality of New Account

After configuring group policy settings, we recommend you verify the functionality of your new Windows domain account to confirm it is suitable for Windows authenticated scanning.

 

Select Run from the Start menu and enter cmd.exe and click OK.

 

Run this command to test administrative share access:

net use Z: \\<ip address>\C$  /USER:your_domain\qualys_scanner /PERSISTENT:no

 

Run this command to test registry access:

runas /user:your_domain\qualys_scanner  "cmd /k reg.exe query \\<ip address>\HKLM\Software"


Note: There's a space after "query" and before "\\<ip  address>"

 

 

Are you using QualysGuard?

Please see the QualysGuard online help for information.

Attachments

    Outcomes