An authenticated scan is a vulnerability testing measure performed from the vantage of a logged-in user. The quality and depth of an authenticated scan depends on the privileges granted to the authenticated user account. The following are the recommended system settings for creating a designated account for authenticated scans.
|Operating System||Methods and Credentials||Escalation|
|Windows||Windows username and password through Windows Remote Management (WinRM)||None|
|Linux||SSH password or public key authentication||sudo, su,
Commands Running in the Authenticated Vulnerability Scans
When you run an authenticated scan in USM Anywhere, there are multiple commands executing at the same time. These commands change constantly and there are new definitions released every day. You can also verify which commands have been executing at any given moment.
Linux-authenticated scans use privilege escalation over ssh. Commands are logged in the audit log:
Windows-authenticated scans perform file and registry checks to determine the version of the installed patch.
Cisco devices require Level 15 privileges, similar to root, for running a vulnerability scan. You can log in as a particular user and through the Cisco IOS enable password escalation, you can elevate to level 15 privileges, with the user using a separate password. See Scan Target Platform Support for more information.
In UNIX systems, USM Anywhere connects to the target hostReference to a computer on a network. through SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). and it runs a set of commands to determine if there is a vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.. By default, USM Anywhere allows creating credentials with
sudo privilege escalationA type of vulnerability where the attacker can escalate their user privilege from user level to system account privileges, such as root or administrator.. It is possible as well to log inLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity.
Login (noun): User credentials, typically a username and matching password. as a particular user, and then provide
su escalation privileges, which will execute every command as a rootHigh-level user account with full administrative privileges. user.
USM Anywhere uses, with Windows targets, Windows Remote Management (WinRM) framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows machine, USM Anywhere is unable to connect. Also, the Windows domain name cannot have a dot in it.
Note: Only the members of the Remote Management Users and Administrators groups can log in through Web Services for Management (WS-Management). WS-Management authentication uses the
sAMAccountName, which is limited to 20 characters.
MaxConcurrentOperationsPerUser parameter in WinRM must be greater than or equal to three, ideally 10 or 15.
MaxMemoryPerShellMB parameter must be set to 1024.
|General System Configurations||
Creating a Windows Admin Account
AT&T Cybersecurity recommends that the Admin create a designated administrator account solely for the authenticated scans rather than using an established administrator account or a guest account. Create the Windows account using the name AV Authenticated Account and a secure password. The account configuration must be set to Classic: local users authenticate as themselves.
See Creating Credentials for Vulnerability Scans for more information about creating credentials for authenticated scans in USM Anywhere.
Rights and Permissions for Using WinRM
The most important aspect about Windows credentials is that the account used to perform the scans should have privileges to access all required files and registry entries, which in many cases means administrative privileges.
Important: For a Windows server that is hardened according to the Center for Internet Security (CIS) benchmarks, such as the CIS Amazon Machine Image (AMI) for Microsoft Windows Server 2016 available in the AWS Marketplace, there are local group policies that block these connectivity requirements. For these servers, you must open the port and re-enable WinRM and remote access on each boot of the server.
Important: The account used to log in to the target system must have remote and local log-on rights. See Setting Log on Locally and the Security Policy for more information.
Important: Enable the group policy Allow Remote Shell Access in the Group Policy settings.
The assets included in your environment should have the default company security policy. However, there are some configuration options that you can enable that can help you to get a better result when you are performing authenticated scans against Windows systems. These are the options:
- Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
- Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Go to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall. Enable Allow inbound file and printer exception.
- While in the Group Policy Object Editor, go to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. This option must be set to either Disabled or Not Configured.
- Windows User Account Control (UAC) must be disabled. To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to Off. Alternatively, you can add a new registry DWORD named LocalAccountTokenFilterPolicy and set its value to 1. This key must be created in the registry at the following location:
- The Remote Registry service must be enabled; it is disabled by default.
USM Anywhere enables you to add a Windows Remote Management (WinRM) credential. The account you use to log in to the target system must have remote and local logon rights.
Important: Set the local logon rights to avoid large numbers of processes and large amounts of memory usage.
To set the local log on rights1
- Select Start > All Programs > Accessories > Run and enter gpedit.msc to open the Local Group Policy Editor.
- In the console tree, select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
- Click Allow log on locally to open its properties.
- Assign the rights to your user.
- Click OK.