Credentialed Checks on Windows

Follow the steps in this document to configure Windows systems for local security checks.

Note: To run some local checks, Tenable Nessus requires that the host runs PowerShell 5.0 or newer.

Tip: To view the Windows operating systems that are compatible with Tenable Nessus, see Tenable Nessus Software Requirements.

Prerequisites

Before you begin this process, ensure that there are no security policies in place that block credentialed checks on Windows, such as:

  • Windows security policies

  • Local computer policies (for example, Deny access to this computer from the network, Access this computer from the network)

  • Antivirus or endpoint security rules

  • IPS/IDS

Configure an Account for Authenticated Scanning

The most important aspect of Windows credentials is that the account used to perform the checks needs privileges to access all required files and registry entries which, often, means administrative privileges. If you do not provide Tenable Nessus with credentials for an administrative account, at best, you can use it to perform registry checks for the patches. While this is still a valid method to find installed patches, it is incompatible with some third-party patch management tools that may neglect to set the key in the policy. If Tenable Nessus has administrative privileges, it checks the version of the dynamic-link library (.dll) on the remote host, which is considerably more accurate.

The following drop-down sections describe how to configure a domain or local account to use for Windows credentialed checks, depending on your use case.

Note: You can only use Domain Administrator accounts to scan Domain Controllers.

To create a domain account for remote, host-based auditing of a Windows server, the server must be a supported version of Windows and part of a domain. To configure the server to allow logins from a domain account, use the Classic security model, as described in the following steps:

  1. Open the Start menu and select Run.
  2. Enter gpedit.msc and select OK.
  3. Select Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

  4. In the list, select Network access: Sharing and security model for local accounts.

    The Network access: Sharing and security model for local accounts window appears.

  5. In the Local Security Setting section, in the drop-down box, select Classic - local users authenticate as themselves.

    This allows local users of the domain to authenticate as themselves, even though they are not physically local on the particular server. Without doing this, all remote users, even real users in the domain, authenticate as guests and do not have enough credentials to perform a remote audit.

  6. Click OK.
Note: To learn more about protecting scanning credentials, see 5 Ways to Protect Scanning Credentials for Windows Hosts.

To configure a standalone (in other words, not part of a domain) Windows server with credentials you plan to use for credentialed checks, create a unique account as the administrator.

Do not set the configuration of this account to the default of Guest only: local users authenticate as guest. Instead, switch this to Classic: local users authenticate as themselves.

Note: A common mistake is to create a local account that does not have enough privileges to log on remotely and do anything useful. By default, Windows assigns new local accounts Guest privileges if they are logged into remotely. This prevents remote vulnerability audits from succeeding. Another common mistake is to increase the amount of access that the Guest users obtain. This reduces the security of your Windows server.

Create the "Nessus Local Access" Security Group

  1. Log in to a Domain Controller and open Active Directory Users and Computers.
  2. To create a security group, select Action > New > Group.
  3. Name the group Nessus Local Access. Set Scope to Global and Type to Security.
  4. Add the account you plan to use to perform Tenable Nessus Windows Authenticated Scans to the Tenable Nessus Local Access group.

Create the "Nessus Scan GPO" Group Policy

  1. Open the Group Policy Management Console.
  2. Right-click Group Policy Objects and select New.
  3. Type the name of the policy Nessus Scan GPO.

Add the "Nessus Local Access" Group to the "Nessus Scan GPO" Policy

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups.
  3. In the left navigation bar on Restricted Groups, right-click and select Add Group.
  4. In the Add Group dialog box, select browse and enter Nessus Local Access.
  5. Select Check Names.
  6. Select OK twice to close the dialog box.
  7. Select Add under This group is a member of:
  8. Add the Administrators Group.
  9. Select OK twice.

Tenable Nessus uses Server Message Block (SMB) and Windows Management Instrumentation (WMI). Ensure Windows Firewall allows access to the system.

Allow WMI on Windows

  1. Right-click Nessus Scan GPO Policy, then select Edit.
  2. Expand Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.
  3. Right-click in the working area and choose New Rule...​.
  4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down box.
  5. Select Next.
  6. Select the checkboxes for:
    • Windows Management Instrumentation (ASync-In)
    • Windows Management Instrumentation (WMI-In)
    • Windows Management Instrumentation (DCOM-In)
  7. Select Next.
  8. Select Finish.

Tip: Later, you can edit the predefined rule created and limit the connection to the ports by IP Address and Domain User to reduce any risk for abuse of WMI.

Link the GPO

  1. In the Group policy management console, right-click the domain or the OU and select Link an Existing GPO.
  2. Select the Nessus Scan GPO.

Configure Windows

Once you create an appropriate account for credentialed checks, there are several Windows options that you must configure before scanning:

Disable Windows User Account Control (UAC), or you must change a specific registry setting to allow Tenable Nessus audits. To disable UAC, open the Control Panel, select User Accounts, and set Turn User Account Control to Off.

Alternatively, instead of disabling UAC, Tenable recommends adding a new registry DWORD named LocalAccountTokenFilterPolicy and setting its value to 1. Create this key in the following registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy. For more information on this registry setting, see the MSDN 766945 KB.

Tip: To turn off UAC completely, open the Control Panel, select User Accounts, and then set Turn User Account Control to off. Alternatively, you can add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1.

You must create this key in the registry at the following location: HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.

For more information on this registry setting, consult the MSDN 766945 KB. In Windows 7 and 8, if you disable UAC, then you must set EnableLUA to 0 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System as well.

  • Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall: Allow inbound file and printer exception and enable it.

    While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. Set this option to either Disabled or Not Configured.

  • Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing. Open any host firewalls to allow connections from Tenable Nessus to File and Printer Sharing on TCP ports 139 and 445. If you want Tenable Nessus to pick up any open ports or services on the host, those ports also need to be accessible to the scanner.

Enable the Remote Registry (it is disabled by default). You can enable it for a one-time audit, or leave it enabled permanently if you perform frequent audits.

Note: Enabling this option configures Tenable Nessus to attempt to start the remote registry service before starting the scan.

The Windows credentials provided in the Tenable Nessus scan policy must have administrative permissions to start the Remote Registry service on the host being scanned.

If the service is set to manual (rather than enabled), plugin IDs 42897 and 42898 only enable the registry during the scan.

Note: For information on enabling the Remote Registry during scans, see How to enable the "Start the Remote Registry service during the scan" option in a scan policy.

Using either the AutoShareServer (Windows Server) or AutoShareWks (Windows Workstation), enable the following default administrative shares:

What to do next:

  • Configure a Tenable Nessus scan for Windows logins.