AnsweredAssumed Answered

Authenticated Scan "Only"

Question asked by latpoly on Jun 1, 2012
Latest reply on Jun 4, 2012 by Eric Perraudeau

We are trouble-shooting a host whose is running an application that is having difficulties with scanning.  We normally do authenticated scans in addition to full port scan.  This is a Windows system joined to an Active Directory domain.

 

I suspect that it is the port scanning that is triggering the issue (we scan all tcp/udp ports on this system) but wanted to confirm this by doing ONLY an authenticated scan (e.g. have the Qualys scan service account log-in and do authenticated scanning process). 

 

I set up this test option profile in the following manner:

Scan

TCP Ports: none

UDP Ports: none

Scan Dead Hosts: checked

Performance (network): Normal

Vulnerability Detection: Complete

Authentication: Windows

 

Host Discovery:

TCP: Unchecked

UDP: Unchecked

ICMP: Checked

No Blocked Resources

 

Windows authentication is successful when we do our normal profile on this host, but did not occur or try to occur with this scan profile.  With this option profile it found the host via ICMP traffic but more or less that was it. 

 

I'm guessing I will need to scan at a minimum those TCP ports used to authenticate (e.g. Windows Remote Management ports TCP 135/445).  Maybe file and print sharing ports (UDP 137-138 and TCP 1139)?  Any others and are all these ports needed? 

 

In a nutshell, what minimal option profile settings will allow us to do an authenticated scan on a host so we can isolate the issue to port scanning and not any processes ran during the authentication portion of the scan?

Outcomes