Dashboard Toolbox - AssetView: Windows Authentication Management (v1.2)

Document created by Felix Jimenez Employee on Oct 11, 2018Last modified by Felix Jimenez Employee on Oct 29, 2018
Version 15Show Document
  • View in full screen mode

fjimenez This page contains information to create a Scorecard dashboard leveraging the AssetView interface and data in your Qualys Vulnerability Management subscription.  

This dashboard is part of AssetView Dashboard Program, If you have any questions regarding the content, please comment below or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.

This AssetView Dashboard will enable you to be more pro-active in your windows authentication management of Qualys Scans.

Get a quick easy glance to KPIs for Authentication successes and failures across different technologies.

  

*  *  This is not a replacement for the Qualys Authentication Report* *

 

Why is Authentication important?

Using host authentication (trusted scanning) allows our service to login to each target system during scanning.

For this reason, we can perform in-depth security assessments, and get better visibility into each system's security posture.

Running authenticated scans gives you the most accurate results with fewer false positives. 

Benefits of Authenticated Scanning (v1.1)  

 

Dashboard Demonstration Images: Updated

* * * New * * *

* The Pre-built Dashboard JSON file can be found attached below ready for download & import into your Qualys subscription *

* * Authentication Widgets are not a replacement for the Qualys Authentication Report * *

 

* * * Requirements * * *

The following Widgets Require Asset Search Tags to be created for each:  

Auth With NTLMv1Auth with NTLMv2Windows Auth Method - Null Session
TAG-NAME:  Auth Using NTLMv1TAG-NAME:  Auth Using NTLMv2TAG-NAME:  Win-auth-nullsession
TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP_v1</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP_v2</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70028</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NULL_session</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

The following Widgets Require Groovy Scriptlet Tags to be created for each:  

Click the following link for assistance in converting time: Google Time Converter

The only section needed to be changed in the code for your desired time is in RED threshold_minutes = ###

Host Scan Time Tags:

Scan time > 15 MinutesScan time > 60 MinutesScan time > 12 HoursScan time > 24 Hours
TAG-NAME:  ScanTime15mTAG-NAME:  ScanTime60mTAG-NAME:  ScanTime12HTAG-NAME:  ScanTime24H

TAG-CODE: Copy paste under Groovy Scriptlet rule:

TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 15
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 60
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 900
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 1440
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
return false;

// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60); 

 

 

 

 

API Guide  - Evaluate Tag: 

Asset Mgmt and Tagging v2 API

See Page:  31

* * * Re-Evaluate the Tags as needed per Scan Candance * * *

Evaluate all tags that have Groovy Script or Asset Search tag rules.

API Request:  **Note the POD API url & the file.xml needs to be created**

POD 1: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/2.0/evaluate/am/tag" < file.xml

POD 2: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg2.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

POD 3: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg3.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

Request POST data:   file.xml  or   GROOVY.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">GROOVY</Criteria>
</filters>
</ServiceRequest>
Request POST data:   file.xml   or  ASSETSEARCH.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">ASSET_SEARCH</Criteria>
</filters>
</ServiceRequest>

 

How to Enable Trending on the widgets:

Open the desired widget in edit mode, by selecting the 3 lines on the top right of the widget,

and clicking on Configure Widget. Then select the Collect trend data check box.

 

Window Authentication Records: 

Set Up Windows Authentication 

Multiple Windows Authentication Records 

Qualys supports Domain Level accounts, However, please note same domain level authentication records are not supported.

Domain credentials should be specific to a domains FQDN. If wanting to use multiple domain authentication records please make sure

your organization is following Microsoft best practice of resource domains. Essentially different domains with specific levels of trust. 

 

Windows Authentication QIDs

These vulnerability checks (QIDs) return information useful for verifying Windows trusted scanning and testing the user account used.

You can view scan results directly or use other tools such as scan report templates, asset search, and host information views.

 

Windows Account lockout QID

105052 

 

Microsoft Windows NTSTATUS Reference Definitions

[MS-ERREF]: NTSTATUS

[MS-ERREF]: NTSTATUS Values 

Windows Authentication Status

QID

Severity

Title

Description

70053

Information Gathered severity level 1

Windows Authentication Method for User-Provided Credentials

Windows authentication was performed successfully with user-provided credentials. The Results section includes a list of authentication credentials used.

70028

Information Gathered severity level 1

Windows Authentication Method

Windows authentication was performed for the host scan. The Results section includes a list of authentication records used for authentication with the username associated with each record. Learn more

105015

Information Gathered severity level 1

Windows Authentication Failed

Windows authentication enabled for the host scan, but login attempts using the credentials defined in authentication records failed.

105296

Information Gathered severity level 1

Windows Authentication Not Attempted

Windows authentication was enabled for the host scan, but not performed for the host because the host’s IP address and domain were not included in authentication records.

Windows Information: Registry and File Access

QID

Severity

Title

Description

70038

Information Gathered severity level 1

File and Print Services Access Denied

Remote access to File and Print services did not succeed via CIFS. If Windows authentication was enabled for the host scan, these QIDS will not be reported:
Windows Authentication Method (70028)
Windows Authentication Failed (105015)

 

Check that Print and File services is enabled and that CIFS is running.

90035

Information Gathered severity level 2

Missing AllowedPaths Registry Key

AllowedPaths registry key was found missing or improperly defined. This key defines which part of the registry can be viewed by non-administrators.

90331

Information Gathered severity level 1

Access to File Share is Enabled

Access to the file share on the target host is enabled.

90399

Information Gathered severity level 1

Windows File Access Denied

Access to the share was successful, but remote access to the files in the Result section was denied. Vulnerabilities that require file access may not have been detected during the scan.

90194

Information Gathered severity level 2

Windows Registry Pipe Access Level

Return code from remote registry access via CIFS is provided in the Results section. CIFS accesses the Windows registry through a named pipe. Authentication to CIFS was successful, but it could not access the registry named pipe if the error code is not 0.

90195

Information Gathered severity level 1

Windows Registry Key Access Denied

Remote access to the registry keys in the Results section has been denied, although access to the registry named pipe was successful.

105025

Information Gathered severity level 1

Windows Registry Access Level

The registry keys in the Result section can be accessed by the scanning engine. These keys are important for performing patch verification.

105177

Information Gathered severity level 2

Microsoft Windows Registry Critical Keys Security Policy

Access Control Lists associated with some of the critical registry paths on the Windows system are provided in the Results section.

 

 

Authentication Report Help Link:

POD - 1 - Apply Tags to Organize Your Assets

POD - 2 - Apply Tags to Organize Your Assets

POD - 3 - Apply Tags to Organize Your Assets

 

 

More to Come ...

 

 

References: 

Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)
Documentation specific to the authenticated scan; In this link, you can search for supported technologies and authentication methods
Interested in QIDs related to Windows: 

 

Dissolvable Agent usage Benefits: 

 

Window Authentication Records: 

 

Related community Posts:

 

External References: Resource Domains

 

Additional AssetView Dashboards:#performance_mgmt

Dashboard Toolbox - Asset View: How To - Importing Dashboard json 

- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - -

Dashboard Toolbox - AssetView: Performance Management (v1.0) 
Dashboard Toolbox - AssetView: Host Scan Time Management (v1.0)  
Dashboard Toolbox - AssetView: Scanning Activity Management (v1.0)  
Dashboard Toolbox - AssetView: Open Ports Management & RTI (v1.0) 

Dashboard Toolbox - AssetView: EOL/Obsolete Software & RTI MGMT (v1.0) 

 

Back to Dashboarding and Reporting 

 

* * * WARNING: Read Before Downloading * * *

At this time, Dashboard and Widget JSON files are not interchangeable between application dashboards, meaning AssetView JSON files may only be used in AssetView and Vulnerability Management JSON

files may only be used in Vulnerability Management. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. 

Again, there is no way to reverse this mistake within the UI, it must be done in the database.

2 people found this helpful

Outcomes