TOC & Recently Viewed

Recently Viewed Topics

Credentialed Checks on Windows

The process described in this section enables you to perform local security checks on Windows systems.

Note: Only Domain Administrator accounts can be used to scan Domain Controllers.

Configure a Domain Account for Authenticated Scanning

To create a domain account for remote host-based auditing of a Windows server, the server must first be Windows Server 2008, Server 2008 R2*, Server 2012, Server 2012 R2, Windows 7, Windows 8, or Windows 10 and must be part of a domain.

Create a Security Group called Nessus Local Access

  1. Log onto a Domain Controller and open Active Directory Users and Computers.
  2. Create a security group by selecting ActionNewGroup.
  3. Name the group Nessus Local Access. Make sure it has a Scope of Global and a Type of Security.
  4. Add the account you will use to perform Nessus Windows Authenticated Scans to the Nessus Local Access group.

Create Group Policy called Local Admin GPO

  1. Open the Group Policy Management Console.
  2. Right-click Group Policy Objects and select New.
  3. Type the name of the policy Nessus Scan GPO.

Add the Nessus Local Access group to the Nessus Scan GPO

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  3. In the left pane on Restricted Groups, right-click and select Add Group.
  4. In the Add Group dialog box, select browse and enter Nessus Local Access.
  5. Select Check Names.
  6. Select OK twice to close the dialog box.
  7. Select Add under This group is a member of:
  8. Add the Administrators Group.
  9. Select OK twice.

Nessus uses SMB (Server Message Block) and WMI (Windows Management Instrumentation) for this we need to make sure that the Windows Firewall will allow access to the system.

Allow WMI on Windows Vista, 7, 8, 10, 2008, 2008R2 and 2012 Windows Firewall

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  3. Right-click in the working area and choose New Rule...​
  4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list.
  5. Select Next.
  6. Select the check boxes for:
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (WMI-In)
    • Windows Management Instrumentation (DCOM-In)
  7. Select Next.
  8. Select Finish.

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User so as to reduce any risk for abuse of WMI.

Link the GPO

  1. In Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
  2. Select the Nessus Scan GPO.

Configure Windows 2008, Vista, 7, 8, and 10

  1. Under Windows Firewall → Windows Firewall Settings, File and Printer Sharing must be enabled.
  2. Using the gpedit.msc tool (via the Run.. prompt), invoke the Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer exception, and enable it.
  3. While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain and ensure it is set to either Disabled or Not Configured.
  4. The Remote Registry service must be enabled (it is disabled by default). It can be enabled manually for continuing audits, either by an administrator or by Nessus. Using plugin IDs 42897 and 42898, Nessus can enable the service just for the duration of the scan.

Note: Enabling this option configures Nessus to attempt to start the remote registry service prior to starting the scan.

The Windows credentials provided in the Nessus scan policy must have administrative permissions to start the Remote Registry service on the host being scanned.

Caution: While not recommended, Windows User Account Control (UAC) can be disabled.

Tip: To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to off. Alternatively, you can add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1.

This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if UAC is disabled, then EnableLUA must be set to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System as well.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.