Basic Settings in User-Defined Templates

Note: This topic describes Basic settings you can set in user-defined templates. For Basic settings in individual scans, see Basic Settings in Vulnerability Management Scans .

You can use Basic settings to specify basic aspects of a user-defined template, including who has access to the user-defined template.

The Basic settings include the following sections:

General

The general settings for a user-defined template.

Setting Default Value Description

Name

None

Specifies the name of the user-defined template.

Description

None

(Optional) Specifies a description of the user-defined template.

Permissions

You can share the user-defined template with other users by setting permissions for users or groups. When you assign a permission to a group, that permission applies to all users within the group.

Tip: Tenable recommends assigning permissions to user groups, rather than individual users, to minimize maintenance as individual users leave or join your organization.

Permission Description
No Access

(Default user only) Groups and users set to this permission cannot interact with the scan in any way.

Can View Groups and users with this permission can view the results of the scan, export the scan results, and move the scan to the Trash folder. They cannot view the scan configuration or permanently delete the scan.
Can Execute

In addition to the tasks allowed by Can View, groups and users with this permission can launch, pause, and stop a scan. They cannot view the scan configuration or permanently delete the scan.

Note: In addition to Can Execute permissions for the scan, users running a scan must have Can Scan permissions in an access group for the specified target, or the scanner does not scan the target.

Can Edit

In addition to the tasks allowed by Can Execute, groups and users with this permission can view the scan configuration and modify any setting for the scan except scan ownership. They can also delete the scan.

Note: Only the scan owner can change scan ownership.

Note: User roles override scan permissions in the following cases:

  • A basic user cannot run a scan or configure a scan, regardless of the permissions assigned to that user in the individual scan.

  • An administrator always has the equivalent of Can Edit permissions, regardless of the permissions set for the administrator account in the individual scan. This does not apply to user-defined scan templates.

Authentication

In user-defined templates, you can use Authentication settings to configure the authentication Tenable.io performs for credentialed scanning.

Tip: The Authentication settings are equivalent to the Scan-wide Credential Type Settings in Tenable-provided scan templates.

Setting Default Value Description
SNMPv1/v2c
equivalent to Scans > Credentials > Plaintext Authentication >  SNMPv1/v2c

UDP Port

161 Ports where Tenable.io attempts to authenticate on the host device.
Additional UDP port #1 161
Additional UDP port #2 161
Additional UDP port #3 161
HTTP
equivalent to Scans > Credentials > Plaintext Authentication > HTTP

Login method

POST

Specify if the login action is performed via a GET or POST request.

Re-authenticate delay (seconds)

0

The time delay between authentication attempts. Setting a time delay is useful to avoid triggering brute force lockout mechanisms.

Follow 30x redirections (# of levels)

0

If a 30x redirect code is received from a web server, this setting directs Tenable.io to follow the link provided or not.

Invert authenticated regex

Disabled

A regex pattern to look for on the login page, that if found, tells Tenable.io that authentication was not successful (e.g., Authentication failed!).

Use authenticated regex on HTTP headers

Disabled

Rather than search the body of a response, Tenable.io can search the HTTP response headers for a given regex pattern to better determine authentication state.

Case insensitive authenticated regex Disabled

he regex searches are case sensitive by default. This instructs Tenable.io to ignore case.

telnet/rsh/rexec
equivalent to Scans > Credentials > Plaintext Authentication > telnet/ssh/rexec
Perform patch audits over telnet Disabled Tenable.io uses telnet to connect to the host device for patch audits.
Perform patch audits over rsh Disabled Tenable.io uses rsh to connect to the host device for patch audits.
Perform patch audits over rexec Disabled Tenable.io uses rexec to connect to the host device for patch audits.
Windows
equivalent to Scans > Credentials > Host > Windows
Never send credentials in the clear

Enabled

By default, for security reasons, this option is enabled.

Do not use NTLMv1 authentication

Enabled

If the Do not use NTLMv1 authentication option is disabled, then it is theoretically possible to trick Tenable.io into attempting to log into a Windows server with domain credentials via the NTLM version 1 protocol. This provides the remote attacker with the ability to use a hash obtained from Tenable.io. This hash can be potentially cracked to reveal a username or password. It may also be used to directly log into other servers. Force Tenable.io to use NTLMv2 by enabling the Only use NTLMv2 setting at scan time. This prevents a hostile Windows server from using NTLM and receiving a hash. Because NTLMv1 is an insecure protocol, this option is enabled by default.

Start the Remote Registry service during the scan

Disabled

This option tells Tenable.io to start the Remote Registry service on computers being scanned if it is not running. This service must be running in order for Tenable.io to execute some Windows local check plugins.

Note: This option is disabled by default to improve default scan performance. Additionally, enabling this option can have implications depending on your network security implementation. For example, certain access control configurations for your network firewall might blacklist your scanner for attempting to negotiate Server Message Block Protocol (SMB protocol) connections.

Enable administrative shares during the scan

Disabled

This option allows Tenable.io to access certain registry entries that can be read with administrator privileges.

Note: This option is disabled by default to improve default scan performance. Additionally, enabling this option can have implications depending on your network security implementation. For example, certain access control configurations for your network firewall might blacklist your scanner for attempting to negotiate Server Message Block Protocol (SMB protocol) connections.

SSH
equivalent to Scans > Credentials > Host > SSH
known_hosts file

None

If you upload an SSH known_hosts file, Tenable.io only attempts to log in to hosts in this file. This can ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log into a system that may not be under your control.

Preferred port

22

The port on which SSH is running on the target system.

Client version

OpenSSH_5.0

The type of SSH client Tenable.io impersonates while scanning.

Attempt least privilege

Cleared

Enables or disables dynamic privilege escalation. When enabled, Tenable.io attempts to run the scan with an account with lesser privileges, even if theElevate privileges with option is enabled. If a command fails, Tenable.io escalates privileges. Plugins 101975 and 101976 report which plugins ran with or without escalated privileges.

Note: Enabling this option may increase scan run time by up to 30%.

Amazon AWS
equivalent to Scans > Credentials > Cloud Services > Amazon AWS
Regions to access

Rest of the World

In order for Tenable.io to audit an Amazon AWS account, you must define the regions you want to scan. Per Amazon policy, you need different credentials to audit account configuration for the China region than you do for the rest of the world.

Possible regions include:

  • GovCloud — If you select this region, you automatically select the government cloud (e.g., us-gov-west-1).

  • Rest of the World — If you select this region, the following additional options appear:

    • us-east-1

    • us-east-2

    • us-west-1

    • us-west-2

    • ca-central-1

    • eu-west-1

    • eu-west-2

    • eu-central-1

    • ap-northeast-1

    • ap-northeast-2

    • ap-southeast-1

    • ap-southeast-2

    • sa-east-1

  • China — If you select this region, the following additional options appear:

    • cn-north-1

    • cn-northwest-1

HTTPS

Enabled

Whether Tenable.io authenticates over an encrypted (HTTPS) or an unencrypted (HTTP) connection.

Verify SSL Certificate

Enabled

Whether Tenable.io verifies the validity of the SSL digital certificate.

Rackspace
equivalent to Scans > Credentials > Cloud Services > Rackspace
Location

Location of the Rackspace Cloud instance. Possible locations include:

  • Dallas-Fort Worth (DFW)
  • Chicago (ORD)
  • Northern Virginia (IAD)
  • London (LON)
  • Syndney (SYD)
  • Hong Kong (HKG)
Microsoft Azure
equivalent to Scans > Credentials > Cloud Services > Amazon AWS
Subscription IDs

List subscription IDs to scan, separated by a comma. If this field is blank, all subscriptions are audited.

Apple Profile Manager
equivalent to Scans > Credentials > Mobile > Apple Profile Manager
Force device updates Enabled

Force devices to update with Apple Profile Manager immediately.

Device update timeout (minutes) 5

Number of minutes to wait for devices to reconnect with Apple Profile Manager.