Windows Auto-Discovery

Note: The Address field in the CyberArk Account Details for an account/host must contain a valid IP/FQDN and must be resolvable on your network. This value is vetted during the collection and discovery process. Address values that are null or unresolvable will not be added to the scan.

Note: Domain support is included, but CyberArk accounts must make use of the Domain field provided in account set up.

To configure windows auto-discovery:

  1. Log in to Tenable Nessus Manager.

  2. In the upper-left corner, click the button.

    The left navigation plane appears.

  3. Click the Credentials tab.

    The Credentials pane appears.

  4. In the left navigation plane, click Settings.

    The Settings page appears.

  5. Click the Credentials widget.

    The Credentials page appears. The credentials table lists the managed credentials you have permission to view.

  6. Click the button next to the Credentials title.

    The credential form plane appears.

  7. Click the Host option.

    The Host options appear.

  8. In the Host section, click Windows.

    The selected credential options appear.

  9. From the Authentication Method drop-down, select CyberArk Windows Auto-Discovery.

    The CyberArk Windows Auto-Discovery field options appear:

  10. Configure each field for the Windows authentication.

    Option

    Description

    		 Required

    CyberArk Host

    The IP address or FQDN name for the user’s CyberArk Instance.

    yes

    Port

    The port on which the CyberArk API communicates. By default, Tenable uses 443.

    yes

    AppID

    The Application ID associated with the CyberArk API connection.

    yes

    Safe

    Users may optionally specify a Safe to gather account information and request passwords.

    		 no

    AIM Web Service Authentication Type

    There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted.

    yes

    CyberArk PVWA Web UI Login Name

    Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information.

    yes

    CyberArk PVWA Web UI Login Password

    Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information.

    yes

    CyberArk Platform Search String

    String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter UnixSSH Admin TestSafe, to gather all Windows platform accounts containing a username Admin in a Safe called TestSafe.

    Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy.

    		 yes

    Use SSL

    If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS.

    yes

    Verify SSL Certificate

    If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate.

    no

    Caution: Tenable strongly recommends encrypting communication between your on-site scanner and the CyberArk AIM gateway using HTTPS and/or client certificates. For information on securing the connection, refer to the Tenable Vulnerability Management User Guide and the Central Credential Provider Implementation Guide located at cyberark.com (login required).

  1. Click Save.