Windows Credentials
Tenable Security Center has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Tenable Security Center to determine if important security patches have been applied.
Tip: Using a non-administrator account will greatly affect the quality of the scan results. Often it makes sense to create a special Tenable Security Center user with administrative privileges that is used solely for scheduled scanning.
Configure the following options for Windows credentials, including options specific for your authentication method:
| General Options | Description |
|---|---|
|
Name |
(Required) A name for the credential. |
| Description | A description for the credential. |
|
Tag |
A tag for the credential. For more information, see Tags. |
Arcon Options
The following table describes the additional options to configure when using Arcon as the authentication method for Windows credentials.
| Option | Description |
|---|---|
| Arcon Host |
(Required) The Arcon IP address or DNS address. Note: If your Arcon installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Arcon Port | (Required) The port on which Arcon listens. By default, Tenable Security Center uses port 444. |
| API User | (Required) The API user provided by Arcon. |
| API Key | (Required) The API key provided by Arcon. |
| Authentication URL | (Required) The URL Tenable Security Center uses to access Arcon. |
| Password Engine URL |
(Required) The URL Tenable Security Center uses to access the passwords in Arcon. |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in hours, that you want to keep credentials checked out in Arcon. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in Arcon so that password changes do not disrupt your Tenable Security Center scans. If Arcon changes a password during a scan, the scan fails. |
| Use SSL | When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Arcon before enabling this option. |
| Verify SSL Certificate | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Arcon before enabling this option. |
BeyondTrust Options
The following table describes the options to configure when using BeyondTrust as the authentication method for Windows credentials.
| Option | Description |
|---|---|
| Username | The username to log in to the hosts you want to scan. |
| Domain | The domain of the username, if required by BeyondTrust. |
| BeyondTrust Host | The BeyondTrust IP address or DNS address. |
| BeyondTrust Port | The port BeyondTrust is listening on. |
| BeyondTrust API User | The API user provided by BeyondTrust. |
| BeyondTrust API Key | The API key provided by BeyondTrust. |
| Checkout Duration |
The length of time, in minutes, that you want to keep credentials checked out in BeyondTrust. Configure the Checkout duration to exceed the typical duration of your Tenable Security Center scans. If a password from a previous scan is still checked out when a new scan begins, the new scan fails. Tip: Configure the password change interval in BeyondTrust so that password changes do not disrupt your Tenable Security Center scans. If BeyondTrust changes a password during a scan, the scan fails. |
| Use SSL | If enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option. |
| Verify SSL Certificate | If enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option. |
Centrify Options
The following table describes the additional options to configure when using Centrify as the authentication method for Windows credentials.
| Option | Description |
|---|---|
| Centrify Host |
(Required) The Centrify IP address or DNS address. Note: If your Centrify installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Centrify Port | (Required) The port on which Centrify listens. By default, |
| API User | (Required) The API user provided by Centrify. |
| API Key | (Required) The API key provided by Centrify. |
| Tenant | (Required) The Centrify tenant associated with the API. By default, |
| Authentication URL | (Required) The URL |
| Password Query URL | (Required) The URL |
| Password Engine URL |
(Required) The URL |
| Username | (Required) The username to log in to the hosts you want to scan. |
| Checkout Duration |
(Required) The length of time, in minutes, that you want to keep credentials checked out in Centrify. Configure the Checkout Duration to exceed the typical duration of your Tenable Security Center scans so that password changes do not disrupt your |
| Use SSL | When enabled, |
| Verify SSL Certificate | When enabled, |
CyberArk Vault (Legacy) Options
The following table describes the options to configure when using CyberArk Vault (Legacy) as the authentication method for Windows credentials.
| Option | Description |
|---|---|
|
Username |
The username for the target system. |
|
Domain |
The domain, if the username is part of a domain. |
|
Central Credential Provider URL Host |
The CyberArk Central Credential Provider IP/DNS address. |
|
Central Credential Provider URL Port |
The port the CyberArk Central Credential Provider is listening on. |
|
Vault Username |
The username for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
|
Vault Password |
The password for the vault, if the CyberArk Central Credential Provider is configured for basic authentication. |
|
Safe |
The safe on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
| CyberArk Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
| CyberArk Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
| CyberArk Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
|
AppID |
The AppID with CyberArk Central Credential Provider permissions to retrieve the target password. |
|
Folder |
The folder on the CyberArk Central Credential Provider server that contains the credentials you want to retrieve. |
|
PolicyID |
The PolicyID assigned to the credentials you want to retrieve. |
|
Vault Use SSL |
When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. |
|
Vault Verify SSL |
When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in CyberArk Central Credential Provider before enabling this option. For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload. |
| CyberArk Escalation Account Details Name |
The unique name of the credential you want to retrieve from CyberArk.
|
| CyberArk AIM Service URL |
The URL for the CyberArk AIM web service. By default, Tenable Security Center uses /AIMWebservice/v1.1/AIM.asmx. |
CyberArk Windows Auto-Discovery Options
The following table describes the additional options to configure when using CyberArk Windows Auto-Discovery as the authentication method for Windows credentials.
|
Option |
Description |
Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the user’s CyberArk Instance. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
|
Safe |
Users may optionally specify a Safe to gather account information and request passwords. |
no |
|
AIM Web Service Authentication Type |
There are two authentication methods established in the feature. IIS Basic Authentication and Certificate Authentication. Certificate Authentication can be either encrypted or unencrypted. |
yes |
|
Username |
(Appears if AIM Web Service Authentication Type is IIS Basic Authentication) The username for a user on the CyberArk server. |
no |
|
Password |
(Appears if AIM Web Service Authentication Type is IIS Basic Authentication) The password associated with the username you provided. |
no |
| Client Certificate |
(Appears if AIM Web Service Authentication Type is Certificate Authentication) The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| Client Certificate Private Key |
(Appears if AIM Web Service Authentication Type is Certificate Authentication) The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase |
(Appears if AIM Web Service Authentication Type is Certificate Authentication) The passphrase for the private key, if required. |
yes, if private key is applied |
|
CyberArk PVWA Web UI Login Name |
Username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
|
CyberArk PVWA Web UI Login Password |
Password for the username to log in to CyberArk web console. This is used to authenticate to the PVWA REST API and gather bulk account information. |
yes |
|
CyberArk Platform Search String |
String used in the PVWA REST API query parameters to gather bulk account information. For example, the user can enter UnixSSH Admin TestSafe, to gather all Windows platform accounts containing a username Admin in a Safe called TestSafe. Note: This is a non-exact keyword search. A best practice would be to create a custom platform name in CyberArk and enter that value in this field to improve accuracy. |
yes |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
yes |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
CyberArk Vault Options
The following table describes the additional options to configure when using CyberArk Vault as the authentication method for Windows credentials.
| Option | Description | Required |
|---|---|---|
|
CyberArk Host |
The IP address or FQDN name for the CyberArk AIM Web Service. This can be the host, or the host with a custom URL added on in a single string. |
yes |
|
Port |
The port on which the CyberArk API communicates. By default, Tenable uses 443. |
yes |
|
AppID |
The Application ID associated with the CyberArk API connection. |
yes |
| Client Certificate | The file that contains the PEM certificate used to communicate with the CyberArk host. |
no |
| Client Certificate Private Key | The file that contains the PEM private key for the client certificate. |
yes, if private key is applied |
| Client Certificate Private Key Passphrase | The passphrase for the private key, if required. |
yes, if private key is applied |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
|
|
|
KDC Transport |
|
|
|
Domain |
(Required if Kerberos Target Authentication is enabled) The domain to which Kerberos Target Authentication belongs, if applicable. |
yes |
| Get credential by |
The method with which your CyberArk API credentials are retrieved. Can be Username, Identifier, or Address. Note: The frequency of queries for Username is one query per target. The frequency of queries for Identifier is one query per chunk. This feature requires all targets have the same identifier. Note: The Username option also adds the Address parameter of the API query and assigns the target IP of the resolved host to the Address parameter. This may lead to failure to fetch credentials if the CyberArk Account Details Address field contains a value other than the target IP address. |
yes |
| Username |
(If Get credential by is Username) The username of the CyberArk user to request a password from. |
no |
| Safe |
The CyberArk safe the credential should be retrieved from. |
no |
| Address | The option should only be used if the Address value is unique to a single CyberArk account credential. | no |
| Account Name | (If Get credential by is Identifier) The unique account name or identifier assigned to the CyberArk API credential. | no |
|
Use SSL |
If enabled, the scanner uses SSL through IIS for secure communications. Enable this option if CyberArk is configured to support SSL through IIS. |
no |
|
Verify SSL Certificate |
If enabled, the scanner validates the SSL certificate. Enable this option if CyberArk is configured to support SSL through IIS and you want to validate the certificate. |
no |
Delinea Secret Server Options
The following table describes the additional options to configure when using Delinea Secret Server as the authentication method for Windows credentials.
| Option | Description | Required |
|---|---|---|
|
Delinea Secret |
The value of the secret on the Delinea server. The secret is labeled Secret Name on the Delinea server. |
yes |
|
Delinea Host |
The Delinea Secret Server IP address for API requests. |
yes |
|
Delinea Port |
The Delinea Secret Server Port for API requests. By default, Tenable uses 443. |
yes |
|
Delinea Login Name |
The username to authenticate to the Delinea server. |
yes |
|
Delinea Password |
The password to authenticate to the Delinea server. This is associated with the Delinea Login Name you provided. |
yes |
|
Checkout Duration |
The duration Tenable should check out the password from Delinea. Duration time is in hours and should be longer than the scan time. |
yes |
|
Use SSL |
Enable if the Delinea Secret Server is configured to support SSL. |
no |
|
Verify SSL Certificate |
If enabled. verifies the SSL Certificate on the Delinea server. |
no |
Hashicorp Vault Options
The following table describes the additional options to configure when using Hashicorp Vault as the authentication method for Windows credentials.
| Option | Default Value | Required |
|---|---|---|
|
Hashicorp Host |
The Hashicorp Vault IP address or DNS address. Note: If your Hashicorp Vault installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
yes |
|
Hashicorp Port |
The port on which Hashicorp Vault listens. |
yes |
| Authenticaton Type |
Specifies the authentication type for connecting to the instance: App Role or Certificates. If you select Certificates, additional options for Hashicorp Client Certificate (Required) and Hashicorp Client Certificate Private Key (Required) appear. Select the appropriate files for the client certificate and private key. |
yes |
| Role ID |
The GUID provided by Hashicorp Vault when you configured your App Role. |
yes |
| Role Secret ID | The GUID generated by Hashicorp Vault when you configured your App Role. | yes |
| Authentication URL | The path/subdirectory to the authentication endpoint. This is not the full URL. For example: /v1/auth/approle/login |
yes |
|
Namespace |
The name of a specified team in a multi-team environment. |
no |
| Hashicorp Vault Type |
The type of Hashicorp Vault secrets engine:
|
yes |
|
KV1 Engine URL KV2 Engine URL AD Engine URL LDAP Engine URL |
The URL Tenable Security Center uses to access the Hashicorp Vault secrets engine. Example: /v1/path_to_secret. No trailing / |
yes |
| Username Source | (Only displays if Hashicorp Vault Type is KV1 or KV2) Specifies if the username is input manually or pulled from Hashicorp Vault. | yes |
| Username Key | (Only displays if Hashicorp Vault Type is KV1 or KV2) The name in Hashicorp Vault that usernames are stored under. | yes |
| Password Key | (Only displays if Hashicorp Vault Type is KV1 or KV2) The key in Hashicorp Vault that passwords are stored under. | yes |
| Secret Name | The key secret you want to retrieve values for. | yes |
|
Kerberos Target Authentication |
If enabled, Kerberos authentication is used to log in to the specified Linux or Unix target. |
no |
|
Key Distribution Center (KDC) |
(Required if Kerberos Target Authentication is enabled) This host supplies the session tickets for the user. |
yes |
|
KDC Port |
(Required if Kerberos Target Authentication is enabled) The port on which the Kerberos authentication API communicates. By default, Tenable uses 88. |
yes |
|
KDC Transport |
(Required if Kerberos Target Authentication is enabled) The KDC uses TCP by default in Linux implementations. For UDP, change this option. If you need to change the KDC Transport value, you may also need to change the port as the KDC UDP uses either port 88 or 750 by default, depending on the implementation. |
yes |
|
Domain |
(Required if Kerberos Target Authentication is enabled) The domain to which Kerberos Target Authentication belongs, if applicable. |
yes |
| Use SSL | When enabled, Tenable Security Center uses SSL for secure communications. You must configure SSL in Hashicorp Vault before enabling this option. | no |
| Verify SSL | When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL in Hashicorp Vault before enabling this option. | no |
Kerberos Options
The following table describes the options to configure when using Kerberos as the authentication method for Windows credentials.
| Option | Description |
|---|---|
| Username | The username for a user on the target system. |
| Password | The password associated with the username you provided. |
| Domain | The authentication domain, typically the domain name of the target (e.g., example.com). |
| KDC Host | The host supplying the session tickets. |
| KDC Port | The port you want to use for the KDC connection. By default, Tenable Security Center uses port 88. |
| KDC Transport |
The method you want to use to connect to the KDC server. Note: If you select UDP, you may need to edit the KDC Port. The KDC UDP protocol uses either port 88 or port 750. |
Lieberman Options
The following table describes the additional options to configure when using Lieberman as the authentication method for Windows credentials.
| Option | Description |
|---|---|
| Username | The username for a user on the database. |
| Domain | The domain of the username, if required by Lieberman. |
| Lieberman Host |
The Lieberman IP address or DNS address. Note: If your Lieberman installation is in a subdirectory, you must include the subdirectory path. For example, type IP address or hostname/subdirectory path. |
| Lieberman Port | The port Lieberman is listening on. |
| Lieberman User |
The username for the Lieberman explicit user you want Tenable Security Center to use for authentication to the Lieberman Rapid Enterprise Defense (RED) API. |
| Lieberman Password |
The password for the Lieberman explicit user. |
| Use SSL |
When enabled, Tenable Security Center uses SSL through IIS for secure communications. You must configure SSL through IIS in Lieberman before enabling this option. |
| Verify SSL Certificate |
When enabled, Tenable Security Center validates the SSL certificate. You must configure SSL through IIS in Lieberman before enabling this option. For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload. |
| System Name | The name for the database credentials in Lieberman. |
Password Options
The following table describes the options to configure when using Password as the authentication method for Windows credentials.
|
Option |
Description |
|---|---|
|
Username |
The username for a user on the target system. |
|
Password |
The password associated with the username you provided. |
|
Domain |
The domain of the username, if required. |
QiAnXin Options
The following table describes the options to configure when using QiAnXin as the authentication method for Windows credentials.
| Option | Description | Required |
|---|---|---|
|
QiAnXin Host |
The IP address or URL for the QiAnXin host. |
yes |
|
QiAnXin Port |
The port on which the QiAnXin API communicates. By default, Tenable uses 443. |
yes |
|
QiAnXin API Client ID |
The Client ID for the embedded account application created in QiAnXin PAM. |
yes |
|
QiAnXin API Client Secret |
The Secret ID for the embedded account application created in QiAnXin PAM. |
yes |
|
|
The username to log in to the hosts you want to scan. |
yes |
| Domain | The domain to which the username belongs. |
no |
|
QiAnXin Asset Address |
Specify the host IP of the asset containing the account to use. If not specified, the scan target IP is used. |
no |
|
|
Specify the platform (based on asset type) of the asset containing the account to use. If not specified, a default target is used based on credential type (for example, for Windows credentials, the default is WINDOWS). Possible values:
|
no |
|
|
Specify the region ID of the asset containing the account to use. |
Only if using multiple regions. |
| Use SSL | When enabled, Tenable uses SSL for secure communication. This is enabled by default. |
no |
|
Verify SSL Certificate |
When enabled, Tenable verifies that the SSL Certificate on the server is signed by a trusted CA. |
no |
Senhasegura Options
The following table describes the options to configure when using Senhasegura as the authentication method for Windows credentials.
| Option | Description | Required |
|---|---|---|
|
Senhasegura Host |
The IP address or url for the Senhasegura host. |
yes |
|
Senhasegura Port |
The port on which the Senhasegura API communicates. By default, Tenable uses 443. |
yes |
|
Senhasegura API Client ID |
The Client ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
| Senhasegura API |
The Secret ID for the applicable Senhasegura A2A Application for Oauth 2.0 API authentication. |
yes |
| Domain | The domain to which the username belongs. | no |
| Senhasegura Credential ID or Identifier | The credential ID or identifier for the credential that you are requesting to retrieve. |
yes |
|
Private Key File |
The Private Key used to decrypt encrypted sensitive data from A2A. Note: You can enable encryption of sensitive data in the A2A Application Authorizations. If enabled, you must provide a private key file in the scan credentials. This can be downloaded from the applicable A2A application in Senhasegura. |
Required if you have enabled encryption of sensitive data in A2A Application Authorizations. |
| Use SSL | When enabled, Tenable Security Center uses SSL for secure communications. This setting is enabled by default. | no |
|
Verify SSL Certificate |
When enabled, Tenable Security Center validates the SSL certificate. This setting is disabled by default. |
no |
Thycotic Secret Server Options
The following table describes the options to configure when using Thycotic Secret Server as the authentication method for Windows credentials.
| Option | Description |
|---|---|
|
Username |
(Required) The username for a user on the target system. |
| Domain | The domain of the username, if set on the Thycotic server. |
| Thycotic Secret Name | The Secret Name value on the Thycotic server. |
| Thycotic Secret Server URL |
(Required) The value you want Tenable Security Center to use when setting the transfer method, target, and target directory for the scanner. Find the value on the Thycotic server, in Admin > Configuration > Application Settings > Secret Server URL. For example, if you type https://pw.mydomain.com/SecretServer, Tenable Security Center determines it is an SSL connection, that pw.mydomain.com is the target address, and that /SecretServer is the root directory. |
| Thycotic Login Name | (Required) The username for a user on the Thycotic server. |
| Thycotic Password | (Required) The password associated with the Thycotic Login Name you provided. |
| Thycotic Organization | In cloud instances of Thycotic, the value that identifies which organization the Tenable Security Center query should target. |
| Thycotic Domain | The domain, if set for the Thycotic server. |
| Use Private Key | If enabled, Tenable Security Center uses key-based authentication for SSH connections instead of password authentication. |
| Verify SSL Certificate |
If enabled, Tenable Security Center verifies the SSL Certificate on the Thycotic server. For more information about using self-signed certificates, see Custom Plugin Packages for NASL and CA Certificate Upload. |
WALLIX Bastion Options
The following table describes the additional options to configure when using WALLIX Bastion as the authentication method for Windows credentials.
| Option | Description | Required |
|---|---|---|
|
WALLIX Host |
The IP address for the WALLIX Bastion host. |
yes |
|
WALLIX Port |
The port on which the WALLIX Bastion API communicates. By default, Tenable uses 443. |
yes |
|
Authentication Type |
Basic authentication (with WALLIX Bastion user interface username and Password requirements) or API Key authentication (with username and WALLIX Bastion-generated API key requirements). |
no |
| WALLIX User |
Your WALLIX Bastion user interface login username. |
yes |
| WALLIX Password | Your WALLIX Bastion user interface login password. Used for Basic authentication to the API. |
yes |
| WALLIX API Key | The API key generated in the WALLIX Bastion user interface. Used for API Key authentication to the API. |
yes |
| Get Credential by Device Account Name |
The account name associated with a Device you want to log in to the target systems with. Note: If your device has more than one account you must enter the specific device name for the account you want to retrieve credentials for. Failure to do this may result in credentials for the wrong account returned by the system. |
Required only if you have a target and/or device with multiple accounts. |
|
HTTPS |
This is enabled by default. Caution: The integration fails if you disable HTTPS. |
yes |
|
Verify SSL Certificate |
This is disabled by default and is not supported in WALLIX Bastion PAM integrations. |
no |