The service provides trusted scanning capabilities through authentication to target hosts, enabling organizations to ensure internal policy compliance at the host level.
All authentication types may be configured at the subscription-level. When authentication is enabled, the service automatically attempts authentication to target hosts, based on user-supplied credentials, for all scans launched by Managers, Unit Managers and Scanners.
For vulnerability scans, trusted scanning is optional but recommended. For compliance scans, trusted scanning is required. The steps below describe how to get started using the authenticated trusted scanning feature.
The first step is to configure authentication credentials on target hosts.
• Windows authentication setup. Configure a user account for authenticating to Windows hosts. Both local host and domain level authentication options are supported.
• MS SQL Server authentication setup. (For compliance scans only) Configure a Windows operating system user account that is associated with a MS SQL Server database account, or configure a MS SQL Server database account.
• Unix authentication setup. Configure a user account and generate an RSA and/or DSA key pair for authenticating to systems that support the SSH protocol. Basic authentication (user name and password) is supported for SSH1 and SSH2. Key authentication is supported for SSH2 only.
• Oracle authentication setup. Configure a user account for authenticating to Oracle databases.
• SNMP authentication setup. Determine which community strings (SNMPv1 and SNMPv2c) or authentication credentials (SNMPv3) should be used to communicate with SNMP agents on target hosts.
• Cisco IOS authentication setup. Configure a user account for authenticating to Cisco IOS devices that support SSH1, SSH2 and telnet.
Any user with the Manager role may create authentication records containing authentication credentials and the target hosts that those credentials apply to. Unit Managers may be granted permission to create and manage authentication records.
• Windows records. Supply a Windows user name and password to be used for authentication. Also specify a Windows domain name for domain level authentication and the IPs in the subscription your credentials apply to. Select the option "Authentication Vault" if the account password is stored in a third party authentication vault.
• MS SQL Server records. (For compliance scans only) Supply a MS SQL Server database instance, database name, port, and login credentials (user name and password). Also specify which IPs in your subscription the credentials apply to.
• Unix records. Supply a Unix user name and password to be used for authentication, as well as an RSA and/or DSA private key. Also specify which IPs in the subscription your credentials apply to. Select the option "Authentication Vault" if the account password is stored in a third party authentication vault.
• Oracle records. Supply an Oracle database user name, password, SID and port to be used for authentication, and specify which IPs in the subscription your credentials apply to.
• Oracle Listener records. Supply a password to be used for authentication, and specify which IPs in the subscription your credentials apply to.
• SNMP records. For SNMPv1 and SNMPv2c, supply one or more community strings to be used for authentication. For SNMPv3, supply a user name, password and algorithm to be used for authentication. You may also supply SNMP encryption credentials for data encryption. Then specify which IPs in the subscription your credentials apply to.
• Cisco IOS records. Supply a user name and password to be used for authentication, and specify which IPs in the subscription your credentials apply to.
Authentication is performed only when enabled in the option profile applied to the scan task. You may enable one or more authentication types in the same option profile. All existing authentication records are applied to the scan.
• Option profiles. Create at least one option profile with the authentication option enabled.
If the compliance module is enabled for your subscription, then you may also create compliance profiles for compliance scans. Authentication is automatically enabled in compliance profiles for all authentication types because successful authentication is required for compliance scans.
Verify that authentication was successful. It is recommended that you resolve authentication failures before the next scan.
• Verify authentication (vulnerability scans). View vulnerability scan results to verify that authentication occurred on the target hosts defined in your authentication records.
• Verify authentication (compliance scans). Run the Authentication Report to identify the authentication status (Passed, Failed or Passed with insufficient privileges) for each compliance scanned host.