Setting up an administrative account for Authenticated Vulnerability Scans of Windows Systems

Overview

The guide informs how to implement the requirements to support G5's Credentialed Vulnerability Scans for Windows Systems on a local network connected to Active Directory. Credentialed Vulnerability Scans leverage an administrative account in Active Directory to allow our scanners perform a very deep scan to discover vulnerabilities by logging into those Windows systems through AD.  

Before you begin this process, ensure that there are no security policies in place that block credentialed checks on Windows, such as:

  • Windows security policies

  • Local computer policies (e.g. Deny access to this computer from the network, Access this computer from the network)

  • Antivirus or endpoint security rules

  • IPS/IDS

 

 

 

Create a Standalone managed service account in AD

In Active Directory, create a single Standalone managed service account (sMSA). This account will be used by our vulnerability scanner only. sMSA require at least Windows Server 2008 R2 and can run only one server. They can be used for multiple services on that server.

You can learn more about sMSA at

Note: A very common mistake is to create a local account that does not have enough privileges to log on remotely and do anything useful. By default, Windows will assign new local accounts Guest privileges if they are logged into remotely. This prevents remote vulnerability audits from succeeding. Another common mistake is to increase the amount of access that the Guest users obtain. This reduces the security of your Windows server.

Configure a Domain Account for Authenticated Scanning

To create a domain account for remote host-based auditing of a Windows server, the server must first be a supported version of Windows and be part of a domain.

Create a Security Group called G5 Local Access

  1. Log in to a Domain Controller and open Active Directory Users and Computers.
  2. To create a security group, select Action > New > Group.
  3. Name the group G5 Local Access. Set Scope to Global and Type to Security.
  4. Add the account that we must use to perform Windows Authenticated Scans to the G5 Local Access group.

Create Group Policy called Local Admin GPO

  1. Open the Group Policy Management Console.
  2. Right-click Group Policy Objects and select New.
  3. Type the name of the policy G5 Scan GPO.

Add the G5 Local Access group to the G5 Scan GPO

  1. Right-click G5 Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  3. In the left navigation bar on Restricted Groups, right-click and select Add Group.
  4. In the Add Group dialog box, select browse and enter G5 Local Access.
  5. Select Check Names.
  6. Select OK twice to close the dialog box.
  7. Select Add under This group is a member of:
  8. Add the Administrators Group.
  9. Select OK twice.

Note: Our scanner uses Server Message Block (SMB) and Windows Management Instrumentation (WMI). You must ensure Windows Firewall allows access to the system.

Allow WMI on Windows

  1. Right-click G5 Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  3. Right-click in the working area and choose New Rule...​.
  4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down box.
  5. Select Next.
  6. Select the check boxes for:
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (WMI-In)
    • Windows Management Instrumentation (DCOM-In)
  7. Select Next.
  8. Select Finish.

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User to reduce any risk for abuse of WMI.

Link the GPO

  1. In Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
  2. Select the G5 Scan GPO
  1.