Enable Windows Logins for Local and Remote Audits
The most important aspect of Windows credentials is that the account used to perform the checks needs privileges to access all required files and registry entries which, often, means administrative privileges. If you do not provide Nessus with credentials for an administrative account, at best, you can use it to perform registry checks for the patches. While this is still a valid method to find installed patches, it is incompatible with some third-party patch management tools that may neglect to set the key in the policy. If Nessus has administrative privileges, it checks the version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.
The following bullets describe how to configure a domain or local account to use for Windows credentialed checks, depending on your needs.
Use Case #1: Configure a Domain Account for Local Audits
To create a domain account for remote, host-based auditing of a Windows server, the server must be part of a domain. To configure the server to allow logins from a domain account, use the Classic security model, as described in the following steps:
Note: To learn more about protecting scanning credentials, see 5 Ways to Protect Scanning Credentials for Windows Hosts.
- Open the Start menu and select Run.
gpedit.mscand select OK.
- Select Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
In the list, select Network access: Sharing and security model for local accounts.
The Network access: Sharing and security model for local accounts window appears.
In the Local Security Setting section, in the drop-down box, select Classic - local users authenticate as themselves.
This allows local users of the domain to authenticate as themselves, even though they are not physically local on the particular server. Without doing this, all remote users, even real users in the domain, authenticate as guests and do not have enough credentials to perform a remote audit.
- Click OK.
Use Case #2: Configure a Local Account
To configure a standalone (in other words, not part of a domain) Windows server with credentials you plan to use for credentialed checks, create a unique account as the administrator.
Do not set the configuration of this account to the default of Guest only: local users authenticate as guest. Instead, switch this to Classic: local users authenticate as themselves.
Once you create an appropriate account for credentialed checks, there are several Windows configuration options that you must enable or disable before scanning (for more information, see Credentialed Checks on Windows):
(Local accounts only) User Account Control (UAC)
Disable Windows User Account Control (UAC), or you must change a specific registry setting allow Nessus audits. To disable UAC, open the Control Panel, select User Accounts, and set Turn User Account Control to Off.
Alternatively, instead of disabling UAC, Tenable recommends adding a new registry DWORD named LocalAccountTokenFilterPolicy and setting its value to 1. Create this key in the following registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. For more information on this registry setting, see the MSDN 766945 KB.
Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Allow inbound file and printer exception and enable it.
While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. Set this option to either Disabled or Not Configured.
- Open any host firewalls to allow connections from Nessus to File and Printer Sharing on TCP ports 139 and 445.
- If you want Nessus to pick up any open ports or services on the host, those ports also need to be accessible to the scanner.
Enable the Remote Registry. You can enable it for a one-time audit, or leave it enabled permanently if you perform frequent audits.Note: For information on enabling the Remote Registry during scans, see How to enable the "Start the Remote Registry service during the scan" option in a scan policy.
Enable administrative shares (IP$, ADMIN$, C$).Note: Windows 10 disables ADMIN$ by default. For all other operating systems, the three administrative shares are enabled by default and can cause other issues if disabled. For more information, see http://support.microsoft.com/kb/842715/en-us.Note: To troubleshoot missing administrative shares, see the related Microsoft troubleshooting topic.