Dashboard Toolbox - VM DASHBOARD BETA: Windows Authentication Management (v1.4)

Document created by Felix Jimenez Employee on Feb 5, 2019Last modified by Felix Jimenez Employee on May 31, 2019
Version 16Show Document
  • View in full screen mode

fjimenez This page contains information to create a Scorecard dashboard leveraging the Vulnerability Management Beta Dashboard interface and data in your Qualys Vulnerability Management subscription.  

This dashboard is part of Vulnerability Management Beta Dashboard Program, If you have any questions regarding the content, please comment below or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc.

This Vulnerability Management Beta Dashboard will enable you to be more pro-active in your windows authentication management of Qualys Scans.

Get a quick, easy glance to KPIs for Authentication successes and failures across different technologies.

  

*  *  This is not a replacement for the Qualys Authentication Report* *

 

Why is Authentication important?

Using host authentication (trusted scanning) allows our service to login to each target system during scanning.

For this reason, we can perform in-depth security assessments, and get better visibility into each system's security posture.

Running authenticated scans gives you the most accurate results with fewer false positives. 

Benefits of Authenticated Scanning (v1.1)  

 

Dashboard Demonstration Images: * * * New * * *

Determine the Windows OS Architecture New DB V1.3

Determine the Windows Kerberos auth New DB V1.4

 

* The Pre-built Dashboard JSON file can be found attached below ready for download & import into your Qualys subscription *

 

* * Authentication Widgets are not a replacement for the Qualys Authentication Report * *

 

* * * Requirements * * *

The following Widgets Require Asset Search Tags to be created for each:  

Auth With NTLMv1Auth with NTLMv2Auth with KerberosWindows Auth Method - Null Session
TAG-NAME:  Auth Using NTLMv1TAG-NAME:  Auth Using NTLMv2TAG-NAME:  Auth Using kerberosTAG-NAME:  Win-auth-nullsession
TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:TAG-CODE: Copy paste under Asset Search rule:

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP v1</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NTLMSSP v2</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>

<TAG_CRITERIA>
<DETECTION>
<QID_LIST>

<QID>70053</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>kerberos</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
<QID_LIST>
<QID>70028</QID>
</QID_LIST>
<RESULTS>
<SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
<SEARCH_TERM>NULL session</SEARCH_TERM>
</RESULTS>
</DETECTION>
</TAG_CRITERIA>

 

The following Widgets Require Groovy Scriptlet Tags to be created for each:  

Click the following link for assistance in converting time: Google Time Converter

The only section needed to be changed in the code for your desired time is in RED threshold_minutes = ###

Host Scan Time Tags:

Scan time 0 - 15 MinutesScan time 30 - 60 MinutesScan time 1 - 12 HoursScan time 1 - 24 Hours
TAG-NAME: ScanTimeMin-0-15TAG-NAME: ScanTimeMin-30-60TAG-NAME:  ScanTime-1-12HTAG-NAME:  ScanTime-12-14H

TAG-CODE: Copy paste under Groovy Scriptlet rule:

TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:TAG-CODE: Copy paste under Groovy Scriptlet rule:

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 0
//Next Threshold will always be 16 so do not TAG if more than that.
next_threshold_min =
 
16+threshold_minutes
// Obtain results for QID 45038.
host_scan_time = asset.resultsForQid(45038L);
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer;
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 30
//Next Threshold will always be 31 so do not TAG if more than that.
next_threshold_min = 31+threshold_minutes
// Obtain results for QID 45038.
host_scan_time = asset.resultsForQid(45038L);
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer;
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

// Skip testing on non-VM hosts. 

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes. 
threshold_minutes = 60
//Next Threshold will always be 660 so do not TAG if more than that.
next_threshold_min = 661+threshold_minutes
// Obtain results for QID 45038. 
host_scan_time = asset.resultsForQid(45038L); 
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration. 
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds')); 
// Convert number of seconds to integer; 
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

// Skip testing on non-VM hosts.

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 720
//Next Threshold will always be 720 so do not TAG if more than that.
next_threshold_min = 721+threshold_minutes
// Obtain results for QID 45038.
host_scan_time = asset.resultsForQid(45038L);
if (host_scan_time == "null" || host_scan_time.isEmpty())
return false;
// Parse for duration.
host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));
// Convert number of seconds to integer;
host_scan_time = host_scan_time.toInteger()
return host_scan_time > (threshold_minutes*60) && host_scan_time < (next_threshold_min*60);

 

 

The OS Architecture Widgets Require Groovy Scriptlet Tags to be created for each:  New

See Asset Inventory | Qualys, Inc.  Product specifically for this granalar view among others in a central module

32-bit Architecture 64-bit Architecture 
TAG-NAME: 32bit-OS-System-ArchitectureTAG-NAME: 64bit-OS-System-Architecture

TAG-CODE: Copy paste under Groovy Scriptlet rule:

TAG-CODE: Copy paste under Groovy Scriptlet rule:

// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
protocols = asset.resultsForQid(90107L);
if(protocols.contains("x86")) return true;
return false;

// Skip testing on non-VM hosts. 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
protocols = asset.resultsForQid(90107L);
if(protocols.contains("amd64")) return true;
return false;

 

 

API Guide  - Evaluate Tag: 

Asset Mgmt and Tagging v2 API

See Page:  31

* * * Re-Evaluate the Tags as needed per Scan Candance * * *

Evaluate all tags that have Groovy Script or Asset Search tag rules.

API Request:  **Note the POD API url & the file.xml needs to be created**

POD 1: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qualys.com/qps/rest/2.0/evaluate/am/tag" < file.xml

POD 2: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg2.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

POD 3: curl -u "USERNAME:PASSWORD" -H "content-type: text/xml" -X "POST" --data-binary @- "https://qualysapi.qg3.apps.qualys.com/qps/rest/2.0/evaluate/am/tag< file.xml

Request POST data:   file.xml  or   GROOVY.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">GROOVY</Criteria>
</filters>
</ServiceRequest>
Request POST data:   file.xml   or  ASSETSEARCH.xml
<?xml version="1.0" encoding="UTF-8" ?>
<ServiceRequest>
<filters>
<Criteria field="ruleType"
operator="EQUALS">ASSET_SEARCH</Criteria>
</filters>
</ServiceRequest>

 

How to Enable Trending on the widgets:

Open the desired widget in edit mode, by selecting the 3 lines on the top right of the widget,

and clicking on the Configure Widget. Then select the Collect trend data check box.

 

Window Authentication Records: 

Set Up Windows Authentication 

Multiple Windows Authentication Records 

Qualys supports Domain Level accounts, However, please note same domain level authentication records are not supported.

Domain credentials should be specific to a domains FQDN. If wanting to use multiple domain authentication records please make sure

your organization is following Microsoft best practice of resource domains. Essentially different domains with specific levels of trust. 

 

Windows Authentication QIDs

These vulnerability checks (QIDs) return information useful for verifying Windows trusted scanning and testing the user account used.

You can view scan results directly or use other tools such as scan report templates, asset search, and host information views.

 

Windows Account lockout QID

105052 

 

Microsoft Windows NTSTATUS Reference Definitions

[MS-ERREF]: NTSTATUS

[MS-ERREF]: NTSTATUS Values 

Windows Authentication Status

QID

Severity

Title

Description

70053

Information Gathered severity level 1

Windows Authentication Method for User-Provided Credentials

Windows authentication was performed successfully with user-provided credentials. The Results section includes a list of authentication credentials used.

70028

Information Gathered severity level 1

Windows Authentication Method

Windows authentication was performed for the host scan. The Results section includes a list of authentication records used for authentication with the username associated with each record. Learn more

105015

Information Gathered severity level 1

Windows Authentication Failed

Windows authentication enabled for the host scan, but login attempts using the credentials defined in authentication records failed.

105296

Information Gathered severity level 1

Windows Authentication Not Attempted

Windows authentication was enabled for the host scan, but not performed for the host because the host’s IP address and domain were not included in authentication records.

Windows Information: Registry and File Access

QID

Severity

Title

Description

70038

Information Gathered severity level 1

File and Print Services Access Denied

Remote access to File and Print services did not succeed via CIFS. If Windows authentication was enabled for the host scan, these QIDS will not be reported:
Windows Authentication Method (70028)
Windows Authentication Failed (105015)

 

Check that Print and File services is enabled and that CIFS is running.

90035

Information Gathered severity level 2

Missing AllowedPaths Registry Key

AllowedPaths registry key was found missing or improperly defined. This key defines which part of the registry can be viewed by non-administrators.

90331

Information Gathered severity level 1

Access to File Share is Enabled

Access to the file share on the target host is enabled.

90399

Information Gathered severity level 1

Windows File Access Denied

Access to the share was successful, but remote access to the files in the Result section was denied. Vulnerabilities that require file access may not have been detected during the scan.

90194

Information Gathered severity level 2

Windows Registry Pipe Access Level

Return code from remote registry access via CIFS is provided in the Results section. CIFS accesses the Windows registry through a named pipe. Authentication to CIFS was successful, but it could not access the registry named pipe if the error code is not 0.

90195

Information Gathered severity level 1

Windows Registry Key Access Denied

Remote access to the registry keys in the Results section has been denied, although access to the registry named pipe was successful.

105025

Information Gathered severity level 1

Windows Registry Access Level

The registry keys in the Result section can be accessed by the scanning engine. These keys are important for performing patch verification.

105177

Information Gathered severity level 2

Microsoft Windows Registry Critical Keys Security Policy

Access Control Lists associated with some of the critical registry paths on the Windows system are provided in the Results section.

 

 

Authentication Report Help Link:

POD - 1 - Apply Tags to Organize Your Assets

POD - 2 - Apply Tags to Organize Your Assets

POD - 3 - Apply Tags to Organize Your Assets

 

 

More to Come ...

 

 

References: 

Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)
Documentation specific to the authenticated scan; In this link, you can search for supported technologies and authentication methods
Interested in QIDs related to Windows: 

 

Dissolvable Agent usage Benefits: 

 

Window Authentication Records: 

 

Related community Posts:

 

External References: Resource Domains

 

Additional VM Beta Dashboards:#performance_mgmt

Dashboard Toolbox - How To Enable the New VM Dashboard BETA within the Qualys UI 

Dashboard Toolbox - How To - Importing Dashboard json 

- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - -

Dashboard Toolbox - VM DASHBOARD BETA: QID Specific Remediation Dashboard (v1.0) 

Dashboard Toolbox - VM DASHBOARD BETA: Host Scan Time Management (v1.1) 

Dashboard Toolbox - VM DASHBOARD BETA: Per Year Environment View - Vr1.0 

Dashboard Toolbox - VM DASHBOARD BETA: Severity 1 thru 5  & Threat Protection (RTI) Dashboard BETA 

Dashboard Toolbox - VM DASHBOARD BETA: PCI Compliance Vulnerability Exposure Dashboard 

Dashboard Toolbox - VM DASHBOARD BETA: Windows Authentication Management (v1.2) 

Dashboard Toolbox - VM DASHBOARD BETA: Total Vulnerabilities Scorecard    

Dashboard Toolbox - VM DASHBOARD BETA: Total Unremediated Scorecard   

Dashboard Toolbox - VM DASHBOARD BETA: Top 10 Vulnerabilities Scorecard 

Dashboard Toolbox - VM DASHBOARD BETA: Top 10 Assets Scorecard 

Dashboard Toolbox - VM DASHBOARD BETA: Hosts Assessment Dashboard 

Dashboard Toolbox - VM DASHBOARD BETA: Threat Real Time Indicator (RTI) Dashboard 

Dashboard Toolbox - Top 5 Vendor Open Vulns Sev3-5 Assessment Dashboard BETA

Dashboard Toolbox - [Tags.Name] Confirmed Sev 3- 5 Excl NRK 90D BETA

Dashboard Toolbox - VM DASHBOARD BETA: Windows 7 Confirmed/Potential Sev 3-5 90D Assessment 

Dashboard Toolbox - Cisco Vendor Only Confirmed/Potential Sev 3-5 90D Assessment BETA

Dashboards and Reporting: Apache Struts RCE Vulnerabilities: CVE-2017-5638 and CVE-2018-11776

QID Tracking Dashboard: .NET Framework Service Packs - All of a Sudden

Adobe Product Dashboard: Qualys API - List Assets by Vulnerability Title

 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA 

Back to Dashboarding and Reporting 

 

* * * WARNING: Read Before Downloading * * *

At this time, Dashboard and Widget JSON files are not interchangeable between application dashboards, meaning Vulnerability Management Beta Dashboard JSON files may only be used in VM Dashboard and AssetView JSON files may only be used in AssetView. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. 

Again, there is no way to reverse this mistake within the UI, it must be done in the database.

Outcomes