TOC & Recently Viewed

Recently Viewed Topics

Windows Credentials

Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied.

Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Nessus user with administrative privileges that is used solely for scheduled scanning.

Configure the following options for Windows credentials.

General Options Description

Name

(Required) A name for the credential.
Description A description for the credential.

Tag

A tag for the credential.
Type The type of authentication you want to perform. For Windows credentials, select Windows.
Authentication Method

The method you want to use for authentication. Your Authentication Method selection determines the other options you must configure: CyberArk Vault Options, Kerberos Options, Windows Credentials, Windows Credentials, Password Options, and Thycotic Secret Server Options.

CyberArk Vault Options

The following table describes the options to configure when using CyberArk Vault as the Authentication Method for Windows credentials.

You must meet the version requirements specified in Tenable Integrated Product Compatibility.

Option Description

Username

The username for the target system.

Domain

The domain, if the username is part of a domain.

Central Credential Provider URL Host

The CyberArk Central Credential Provider IP/DNS address.

Central Credential Provider URL Port

The port the CyberArk Central Credential Provider is listening on.

Vault Username (optional)

The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Vault Password (optional)

The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication.

Safe

The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

AppID

The AppID with CyberArk Central Credential Provider permissions to retrieve the target password.

Folder

The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve.

PolicyID

The PolicyID assigned to the credentials you want to retrieve.

Vault Use SSL

When enabled, SecurityCenter uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

Vault Verify SSL

When enabled, SecurityCenter validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option.

For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

CyberArk Account Details Name

The name parameter for the CyberArk account.

Kerberos Options

The following table describes the options to configure when using Kerberos as the Authentication Method for Windows credentials.

Option Description
Username The username for a user on the target system.
Password The password associated with the username you provided.
Domain The authentication domain, typically the domain name of the target (e.g., example.com).
KDC Host The host supplying the session tickets.
KDC Port The port you want to use for the KDC connection. By default, SecurityCenter uses port 88.
KDC Transport

The method you want to use to connect to the KDC server.

Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750.

LM Hash Options

The following table describes the options to configure when using LM Hash as the Authentication Method for Windows credentials.

Option Description
Username The username for a user on the target system.
Hash The LM hash you want to use.
Domain The domain of the username, if required.

NTLM Hash Options

The following table describes the options to configure when using NTLM Hash as the Authentication Method for Windows credentials.

Option Description
Username The username for a user on the target system.
Hash The NTLM hash you want to use.
Domain The domain of the username, if required.

Password Options

The following table describes the options to configure when using Password as the Authentication Method for Windows credentials.

Option Description
Username The username for a user on the target system.
Password The password associated with the username you provided.
Domain The domain of the username, if required.

Thycotic Secret Server Options

The following table describes the options to configure when using Thycotic Secret Server as the Authentication Method for Windows credentials.

Option Description

Username

(Required) The username for a user on the target system.
Domain The domain of the username, if set on the Thycotic server.
Thycotic Secret Name (Required) The Secret Name value on the Thycotic server.
Thycotic Secret Server URL

(Required) The value you want SecurityCenter to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL.

For example, if you type https://pw.mydomain.com/SecretServer, SecurityCenter determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory.

Thycotic Login Name (Required) The username for a user on the Thycotic server.
Thycotic Password (Required) The password associated with the Thycotic Login Name you provided.
Thycotic Organization (Optional) In cloud instances of Thycotic, the value that identifies which organization the SecurityCenter query should target.
Thycotic Domain (Optional) The domain, if set for the Thycotic server.
Use Private Key If enabled, SecurityCenter uses key-based authentication for SSH connections instead of password authentication.
Verify SSL Certificate

If enabled, SecurityCenter verifies the SSL Certificate on the Thycotic server.

For more information about using self-signed certificates, see the Nessus custom_CA.inc documentation.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.