Credentialed Checks on Windows

Follow the steps in this document to configure Windows systems for local security checks.

Note: To run some local checks, Tenable Nessus requires that the host runs PowerShell 5.0 or newer.

Tip: To view the Windows operating systems that are compatible with Tenable Nessus, see Tenable Nessus Software Requirements.

Prerequisites

Before you begin this process, ensure that there are no security policies in place that block credentialed checks on Windows, such as:

  • Windows security policies

  • Local computer policies (for example, Deny access to this computer from the network, Access this computer from the network)

  • Antivirus or endpoint security rules

  • IPS/IDS

Configure an Account for Authenticated Scanning

The most important aspect of Windows credentials is that the account used to perform the checks needs privileges to access all required files and registry entries which, often, means administrative privileges. If you do not provide Tenable Nessus with credentials for an administrative account, at best, you can use it to perform registry checks for the patches. While this is still a valid method to find installed patches, it is incompatible with some third-party patch management tools that may neglect to set the key in the policy. If Tenable Nessus has administrative privileges, it checks the version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.

The following drop-down sections describe how to configure a domain or local account to use for Windows credentialed checks, depending on your use case.

Note: You can only use Domain Administrator accounts to scan Domain Controllers.

Create the "Nessus Local Access" Security Group

  1. Log in to a Domain Controller and open Active Directory Users and Computers.
  2. To create a security group, select Action > New > Group.
  3. Name the group Nessus Local Access. Set Scope to Global and Type to Security.
  4. Add the account you plan to use to perform Tenable Nessus Windows Authenticated Scans to the Tenable Nessus Local Access group.

Create the "Nessus Scan GPO" Group Policy

  1. Open the Group Policy Management Console.
  2. Right-click Group Policy Objects and select New.
  3. Type the name of the policy Nessus Scan GPO.

Add the "Nessus Local Access" Group to the "Nessus Scan GPO" Policy

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  3. In the left navigation bar on Restricted Groups, right-click and select Add Group.
  4. In the Add Group dialog box, select browse and enter Nessus Local Access.
  5. Select Check Names.
  6. Select OK twice to close the dialog box.
  7. Select Add under This group is a member of:
  8. Add the Administrators Group.
  9. Select OK twice.

Tenable Nessus uses Server Message Block (SMB) and Windows Management Instrumentation (WMI). Ensure Windows Firewall allows access to the system.

Allow WMI on Windows

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  3. Right-click in the working area and choose New Rule...​.
  4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down box.
  5. Select Next.
  6. Select the checkboxes for:
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (WMI-In)
    • Windows Management Instrumentation (DCOM-In)
  7. Select Next.
  8. Select Finish.

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User to reduce any risk for abuse of WMI.

Link the GPO

  1. In the Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
  2. Select the Nessus Scan GPO.

Configure Windows

Once you create an appropriate account for credentialed checks, there are several Windows options that you must configure before scanning:

What to do next:

  • Configure a Tenable Nessus scan for Windows logins.