We are trouble-shooting a host whose is running an application that is having difficulties with scanning. We normally do authenticated scans in addition to full port scan. This is a Windows system joined to an Active Directory domain.
I suspect that it is the port scanning that is triggering the issue (we scan all tcp/udp ports on this system) but wanted to confirm this by doing ONLY an authenticated scan (e.g. have the Qualys scan service account log-in and do authenticated scanning process).
I set up this test option profile in the following manner:
TCP Ports: none
UDP Ports: none
Scan Dead Hosts: checked
Performance (network): Normal
Vulnerability Detection: Complete
No Blocked Resources
Windows authentication is successful when we do our normal profile on this host, but did not occur or try to occur with this scan profile. With this option profile it found the host via ICMP traffic but more or less that was it.
I'm guessing I will need to scan at a minimum those TCP ports used to authenticate (e.g. Windows Remote Management ports TCP 135/445). Maybe file and print sharing ports (UDP 137-138 and TCP 1139)? Any others and are all these ports needed?
In a nutshell, what minimal option profile settings will allow us to do an authenticated scan on a host so we can isolate the issue to port scanning and not any processes ran during the authentication portion of the scan?