Running Authenticated (Whitebox) Scans
This article describes how to add authentication credentials to Secureworks® Taegis™ VDR in order to scan inside certain machines and obtain the information on locally-installed vulnerable software.
Credentials can be associated to groups of assets through the use of tags (see Creating New Tags and Associating Credentials to Tags). All the assets categorized under the tag to which the credentials are associated will be scanned with authentication using these credentials.
Tags that have credentials associated will have a left blue border visible throughout VDR.
Once a scan finishes, the report will show which credentials were used during the scan, if any.
System Requirements for Authenticated Scans ⫘
Requirements for SMB Authentication on Microsoft Windows Machines ⫘
- The remote registry service must be started (can be configured in the 'Services' section of Microsoft Windows).
- File and printer sharing must be activated and in the case of Windows XP machines, the "Simple Sharing" should be deactivated.
- If you are scanning individual systems:
- Use an account that has administrative rights on the machine.
- Create a new DWORD value named
LocalAccountTokenFilterPolicy
with the value '1' in the following key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\
- If you are scanning systems that are part of a Domain:
- The recommended level of permission is to use Domain Admin credentials. Without sufficient level of privileges, the vulnerability data will likely be incomplete.
- Because these are highly privileged credentials, you should create a specific security group for these domain admins that has a specific Group Policy (GPO) applied to it with the following restrictions:
- Deny local log on
- Deny log on through Remote Desktop Services
- Consider denying write-actions to registry keys, as well as the default system drive (%SystemDrive%)
- If need be, exception rules for VDR (or the Edge Service) should be created in the Windows firewall.
Requirements for SSH Authentication (GNU/Linux & Cisco) ⫘
- The SSH server (sshd) should be activated on the destination machine.
- Key-based authentication should be activated in the SSH daemon config; it is by default, but ensure that /etc/ssh/sshd.conf does not contain "PubkeyAuthentication no".
- The user used for authentication needs to to have administrative privileges, but read-only access to "root" restricted files is recommended (through the use of an administrative group).
- For Cisco (IOS) systems, an unprivileged user that has access to the "show version" command is necessary.
Requirements for Authentication on ESXi Machines ⫘
An administrative account or a read-only role with global settings permission must be used for ESXi authentication.