Credentials in Tenable Vulnerability Management Scans

You can use credentials to grant a Tenable Vulnerability Management scanner local access to scan a target system without requiring an agent. Credentialed scans can perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results. This approach facilitates scanning of a very large network to determine local exposures or compliance violations.

Credentialed scans can perform any operation that a local user can perform. The level of scanning depends on the privileges granted to the user account. The more privileges the scanner has via the login account (for example, root or administrator access), the more thorough the scan results.

In Tenable Vulnerability Management, you can create credentials for use in scans in the following ways:

Category	Description	Permissions
Scan-specific	You configure and store these credentials in an individual scan. If you delete the scan, you also delete the credentials. If you want to use the credentials in a different scan, you must either convert the scan-specific credential to a managed credential or recreate the scan-specific credential settings in the other scan.	User Permissions in Basic settings in the scan
Template-specific	You configure and store these credentials in a user-defined template. You can then use the template to create individual scans. If you add credentials to a user-defined template, other users can override those credentials by adding scan-specific or managed credentials to scans created from the template. Tenable recommends adding managed credentials to scans, instead of adding credentials to user-defined templates. If you delete the template, you also delete the template-specific credentials. However, Tenable Vulnerability Management retains the credentials in any scans you used the template to create before deletion. If you want to use the credentials in a different template, you must recreate the template-specific credentials in the other template.	User Permissions in Basic settings in the template
Managed	Tenable Vulnerability Management stores managed credentials centrally in the credential manager. You can configure managed credentials directly in the credential manager or during scan configuration. You can also convert a scan-specific credential to a managed credential during scan configuration. You can use managed credentials in multiple scans. You can also grant other users permissions to use managed credentials in scans. You cannot use managed credentials in templates.	Configure User Permissions for a Credential

The settings you configure for a credential vary based on the credential type. Credential types include:

For more information, see:

Note: Tenable Vulnerability Management opens several concurrent authenticated connections. Ensure that the host being audited does not have a strict account lockout policy based on concurrent sessions.

Note: By default, when creating credentialed scans or user-defined templates, hosts are identified and marked with a Tenable Asset Identifier (TAI). This globally unique identifier is written to the host's registry or file system, and subsequent scans can retrieve and use the TAI.

This option is enabled (by default) or disabled in the Advanced -> General Settings of a scan configuration or template: Create unique identifier on hosts scanned using credentials.

Note: If a Tenable Vulnerability Management scan contains multiple instances of one type of credential, Tenable Vulnerability Management attempts to log into a valid target using each credential in sequence, in the same order in which they were added to the scan. Tenable Vulnerability Management uses the first credential it is able to log in successfully with to perform credentialed checks on the target. Once Tenable Vulnerability Management is able to log in successfully with a credential set, it does not attempt to log in with any of the other credentials in the scan, regardless of their relative levels of access.