Each Windows authentication record identifies IPs and account credentials to be used for authentication. At least one Windows authentication record is required to perform Windows trusted scanning. Any Manager user may create authentication records. Unit Managers may be granted this permission.
Windows authentication records are used for trusted scanning when authentication is enabled for the scan. For vulnerability scans, authentication is enabled only when Windows authentication is selected in the option profile. For compliance scans, authentication is always enabled by the service (and cannot be disabled by the user).
Your account may include multiple Windows authentication records. When you have multiple records, the scanning engine matches each target host to one record. See Multiple Windows Authentication Records for information on how the scanning engine chooses a record for authentication.
Important! Before you begin, be sure that you followed our best practices to create a Windows domain account with group policy settings, as described in Windows Domain Account Setup. When trust relationships exist, check that your trust relationships are working properly using the domain account on the hosts to be scanned.
1. Select Authentication Records from the left menu, under Tools.
2. Go to New > Windows Record.
3. On the Login Credentials under Windows Authentication, select Local or Domain.
4. (required for Domain authentication) Select a type from Domain Type menu:
• NetBIOS, User-Selected IPs. With this option the scanning engine will use NetBIOS to authenticate to user-selected IP addresses in a specified domain. A single authentication record may be defined for an entire domain (tree) using this method.
• NetBIOS, Service-Selected IPs. With this option the scanning engine will use NetBIOS to authenticate to hosts in a user-specified domain using credentials stored on this domain. If trust relationships exist and the account's permissions are properly propagated, it's possible for the scanning engine to authenticate to hosts which are not members of the same domain. See Examples for NetBIOS, Service-Selected IPs.
• Active Directory. With this option the scanning engine will use an Active Directory forest to authenticate to hosts in a certain domain within the framework. This domain must be specified as an FQDN (Fully Qualified Domain Name).
5. (required for Domain authentication) Enter a name in the Domain Name field. When the domain type is Active Directory, an FQDN name must be entered.
6. (optional) For the domain type Active Directory, select Follow trust relationships if you want the scanning engine to authenticate to hosts in other domains that have a trust relationship with the specified domain.
7. (optional) For a NetBIOS domain type, you may select Enable NTLM Authentication. This allows the scanning engine to try the NTLM authentication protocol when negotiating authentication to target Windows hosts. When NTLM authentication is disabled, it will not be attempted even if other methods like NTLMSSP and Kerberos fail. Note that the NTLM Authentication option is not available if you use an authentication vault.
8. Enter user credentials for the Windows user account to be used. Refer to Windows Authentication Setup to understand the requirements for Windows authenticated scanning to be successful. Your options are:
• Basic Authentication. Enter the user name and password for the Windows user account.
• Authentication Vault. Select this option if the password for the Windows user account is stored in a third party authentication vault. See Authentication Vault Login Credentials.
9. (required when Local or Domain: NetBIOS, User-Selected IPs is selected) On the IPs tab select all hosts that the scanning engine should log into with the specified credentials. Depending on the authentication level specified, these may be hosts associated with the domain or hosts that will be authenticated locally.
10. (optional) In the Comments field, enter notes to be saved with the windows record.
11. Click Save.
After creating a Windows record, you must enable this feature in your scan options for vulnerability scans. Create or edit an option profile and select the Windows option under Authentication on the Scan tab. Then apply that profile to vulnerability scan tasks.
Note that Windows authentication is automatically enabled in compliance profiles for compliance scan tasks.