AlienVault® USM Anywhere™

The Need of Credentials for Running a Scan

When running a scan in USM Anywhere, you have the option to run it with, or without, authenticationProcess used to verify the identity of a user, user device, or other entity, usually through a username and password..

When running a scan without authentication USM Anywhere probes the network services available on the target machine. Using known protocol behaviors, it attempts to identify the software that is running as well as the configuration and version. With this information, the engine then attempts to match the identified software with the known vulnerabilities to produce a report. The benefits of this approach are that the detection can be very specific in order to identify known vulnerable behavior.

When you choose to run a scan with authentication, your credentials allow the engine to actually query the running machine to get very detailed and accurate information about the running software and its configuration. This prevents false positivesA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology. from misidentified services that can sometimes occur in the unauthenticated approach. In addition, an authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges. ensures that all services and software are analyzed — regardless of whether the service is currently running or accessible from the network.

Rights and Permissions for Using WinRM

The most important aspect about Windows credentials is that the account used to perform the scans should have privileges to access all required files and registry entries, which in many cases means administrative privileges.

Important: For a Windows server that is hardened according to the Center for Internet Security (CIS) benchmarks, such as the CIS Amazon Machine Image (AMI) for Microsoft Windows Server 2016 available in the AWS Marketplace, there are local group policies that block these connectivity requirements. For these servers, you must open the port and re-enable WinRM and remote access on each boot of the server.

The assets included in your environment should have the default company security policy. However, there are some configuration options that you can enable that can help you to get a better result when you are performing authenticated scans against Windows systems. These options are:

  • Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
  • Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Go to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall. Enable Allow inbound file and printer exception.
  • While in the Group Policy Object Editor, go to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. This option must be set to either Disabled or Not Configured.
  • Windows User Account Control (UAC) must be disabled. To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to Off. Alternatively, you can add a new registry DWORD named LocalAccountTokenFilterPolicy and set its value to “1”. This key must be created in the registry at this location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
  • The Remote Registry service must be enabled; it is disabled by default.

Access Control Matrix

An Access Control Matrix is a table that maps the permissions of a set of subjects to act upon a set of objects within a system. You can use the Access Control Matrix to map permissions to your USM Anywhere.

Access Control Matrix (1)
<unix_asset> <cisco_asset> <windows_asset>
UNIX User rwx N/A N/A
Cisco User N/A rwx N/A
Windows User N/A N/A rwx