Credentialed Checks on Windows

The process described in this section enables you to perform local security checks on Windows systems. You can only use Domain Administrator accounts to scan Domain Controllers.

Note: To view the Windows operating systems that are compatible with Tenable Nessus, see Tenable Nessus Software Requirements.
Note: To run some local checks, Tenable Nessus requires that the host runs PowerShell 5.0 or newer.

Before you begin this process, ensure that there are no security policies in place that block credentialed checks on Windows, such as:

  • Windows security policies

  • Local computer policies (for example, Deny access to this computer from the network, Access this computer from the network)

  • Antivirus or endpoint security rules

  • IPS/IDS

Configure a Domain Account for Authenticated Scanning

To create a domain account for remote host-based auditing of a Windows server, the server must first be a supported version of Windows and be part of a domain.

Create a Security Group called Nessus Local Access

  1. Log in to a Domain Controller and open Active Directory Users and Computers.
  2. To create a security group, select Action > New > Group.
  3. Name the group Nessus Local Access. Set Scope to Global and Type to Security.
  4. Add the account you plan to use to perform Tenable Nessus Windows Authenticated Scans to the Tenable Nessus Local Access group.

Create Group Policy called Local Admin GPO

  1. Open the Group Policy Management Console.
  2. Right-click Group Policy Objects and select New.
  3. Type the name of the policy Nessus Scan GPO.

Add the Nessus Local Access group to the Nessus Scan GPO

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  3. In the left navigation bar on Restricted Groups, right-click and select Add Group.
  4. In the Add Group dialog box, select browse and enter Nessus Local Access.
  5. Select Check Names.
  6. Select OK twice to close the dialog box.
  7. Select Add under This group is a member of:
  8. Add the Administrators Group.
  9. Select OK twice.

Tenable Nessus uses Server Message Block (SMB) and Windows Management Instrumentation (WMI). Ensure Windows Firewall allows access to the system.

Allow WMI on Windows

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  3. Right-click in the working area and choose New Rule...​.
  4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down box.
  5. Select Next.
  6. Select the check boxes for:
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (WMI-In)
    • Windows Management Instrumentation (DCOM-In)
  7. Select Next.
  8. Select Finish.

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User to reduce any risk for abuse of WMI.

Link the GPO

  1. In Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
  2. Select the Tenable Nessus` Scan GPO.

Configure Windows

  1. Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
  2. Using the gpedit.msc tool (via the Run prompt), invoke the Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer exception, and enable it.
  3. (Windows 8 and earlier only) While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain and set it to either Disabled or Not Configured.

  4. Enable the Remote Registry service (it is disabled by default). If the service is set to manual (rather than enabled), plugin IDs 42897 and 42898 only enable the registry during the scan.

    Note: Enabling this option configures Tenable Nessus to attempt to start the remote registry service before starting the scan.

    The Windows credentials provided in the Tenable Nessus scan policy must have administrative permissions to start the Remote Registry service on the host being scanned.

  5. Open TCP ports 139 and 445 between Tenable Nessus and the target.

  6. Using either the AutoShareServer (Windows Server) or AutoShareWks (Windows Workstation), enable the following default administrative shares:

    • IPC$

    • ADMIN$

      Note: Windows 10 disables ADMIN$ by default. For all other operating systems, the three shares are enabled by default and can cause other issues if disabled by default. For more information, see http://support.microsoft.com/kb/842715/en-us.

    • C$

Caution: While not recommended, you can disable Windows User Account Control (UAC).

Tip: To turn off UAC completely, open the Control Panel, select User Accounts, and then set Turn User Account Control to off. Alternatively, you can add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1.

You must create this key in the registry at the following location: HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if you disable UAC, then you must set EnableLUA to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System as well.

What to do next:

  • View the prerequisites for Windows credentialed checks.

  • Enable Windows logins for local and remote audits.

  • Configure a Tenable Nessus scan for Windows Logins.