TOC & Recently Viewed

Recently Viewed Topics

Host

Tenable.io supports the following forms of host authentication:

SNMPv3

Use SNMPv3 credentials to scan remote systems that use an encrypted network management protocol (including network devices). Tenable.io uses these credentials to scan for patch auditing or compliance checks.

Click SNMPv3 in the Credentials list to configure the following settings:

Option Description

Username

(Required) The username for the SNMPv3 based account that Tenable.io uses to perform the checks on the target system.

Port

The port on which SNMP is running on the target system. By default, this value is 161.

Security level

The security level for SNMP: authentication, privacy, or both.

Authentication algorithm

The algorithm the remove service supports (MD5 or SHA1).

Authentication password

(Required) The password for the username specified.

Privacy algorithm

The encryption algorithm to use for SNMP traffic.

Privacy password

(Required) A password used to protect encrypted SNMP communication.

SSH

Use SSH credentials for host-based checks on Unix systems and supported network devices. SSH encrypts the data in transit to protect it from being viewed by sniffer programs. Tenable.io uses these credentials to obtain local information from remote Unix systems for patch auditing or compliance checks.

Tenable.io can use Secure Shell (SSH) protocol version 2 based programs (e.g., OpenSSH, Solaris SSH, etc.).

Click SSH in the Credentials list to configure the settings for the following SSH authentication methods:

Note: Non-privileged users with local access on Unix systems can determine basic security issues, such as patch levels or entries in the /etc/passwd file. For more comprehensive information, such as system configuration data or file permissions across the entire system, an account with root privileges is required.

Windows

Click Windows in the Credentials list to configure settings for the Windows-based authentication methods described below.

Windows Authentication Considerations

Regarding the authentication methods:

  • Tenable.io automatically uses SMB signing if it is required by the remote Windows server. SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows server. Many system administrators enable this feature on their servers to ensure that remote users are 100% authenticated and part of a domain. In addition, make sure you enforce a policy that mandates the use of strong passwords that cannot be easily broken via dictionary attacks from tools like John the Ripper and L0phtCrack. Note that there have been many different types of attacks against Windows security to illicit hashes from computers for re-use in attacking servers. SMB Signing adds a layer of security to prevent these man-in-the-middle attacks.
  • The SPNEGO (Simple and Protected Negotiate) protocol provides Single Sign On (SSO) capability from a Windows client to a variety of protected resources via the users’ Windows login credentials. Tenable.io supports use of SPNEGO Scans and Policies: Scans 54 of 151 with either NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption. SPNEGO authentication happens through NTLM or Kerberos authentication; nothing needs to be configured in the Tenable.io policy.
  • If an extended security scheme (such as Kerberos or SPNEGO) is not supported or fails, Tenable.io attempts to log in via NTLMSSP/LMv2 authentication. If that fails, Tenable.io then attempts to log in using NTLM authentication.
  • Tenable.io also supports the use of Kerberos authentication in a Windows domain. To configure this, the IP address of the Kerberos Domain Controller (actually, the IP address of the Windows Active Directory Server) must be provided.

Server Message Block (SMB) is a file-sharing protocol that allows computers to share information across the network. Providing this information to Tenable.io allows it to find local information from a remote Windows host. For example, using credentials enables Tenable.io to determine if important security patches have been applied. It is not necessary to modify other SMB parameters from default settings.

The SMB domain field is optional and Tenable.io is able to log on with domain credentials without this field. The username, password, and optional domain refer to an account that the target machine is aware of. For example, given a username of joesmith and a password of my4x4mpl3, a Windows server first looks for this username in the local system’s list of users, and then determines if it is part of a domain.

Regardless of credentials used, Tenable.io always attempts to log into a Windows server with the following combinations:

  • Administrator without a password
  • A random username and password to test Guest accounts
  • No username or password to test null sessions

The actual domain name is only required if an account name is different on the domain from that on the computer. It is entirely possible to have an Administrator account on a Windows server and within the domain. In this case, to log onto the local server, the username of Administrator is used with the password of that account. To log onto the domain, the Administrator username is also used, but with the domain password and the name of the domain.

When multiple SMB accounts are configured, Tenable.io attempts to log in with the supplied credentials sequentially. Once Tenable.io is able to authenticate with a set of credentials, it checks subsequent credentials supplied, but only uses them if administrative privileges are granted when previous accounts provided user access.

Some versions of Windows allow you to create a new account and designate it as an administrator. These accounts are not always suitable for performing credentialed scans. Tenable recommends that the original administrative account, named Administrator be used for credentialed scanning to ensure full access is permitted. On some versions of Windows, this account may be hidden. The real administrator account can be unhidden by running a DOS prompt with administrative privileges and typing the following command:

C:\> net user administrator /active:yes

If an SMB account is created with limited administrator privileges, Tenable.io can easily and securely scan multiple domains. Tenable recommends that network administrators create specific domain accounts to facilitate testing. Tenable.io includes a variety of security checks for Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 that are more accurate if a domain account is provided. Tenable.io does attempt to try several checks in most cases if no account is provided.

Note: The Windows Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry is not possible, even with full credentials. This service must be started for a Tenable.io credentialed scan to fully audit a system using credentials.

For more information, see the Tenable blog post Dynamic Remote Registry Auditing - Now you see it, now you don’t!

Credentialed scans on Windows systems require that a full administrator level account be used. Several bulletins and software updates by Microsoft have made reading the registry to determine software patch level unreliable without administrator privileges, but not all of them. Tenable.io plugins check that the provided credentials have full administrative access to ensure the plugins execute properly. For example, full administrative access is required to perform direct reading of the file system. This allows Tenable.io to attach to a computer and perform direct file analysis to determine the true patch level of the systems being evaluated.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.