Before you launch or schedule compliance scans, follow these steps to ensure your scans are successful and you get the most out of your scans.
A Manager must accept the Dissolvable Agent (Agent) in order to run certain compliance scans to test for Password Auditing, Windows Share Enumeration and/or Detailed Security Auditing for Windows Vista, 7 and 2008. See Dissolvable Agent Setup.
Compliance profiles contain scan configuration settings for compliance scans. Before you can launch a compliance scan, a compliance profile must be available on the option profiles list in your account. The service does not provide a default compliance profile. A Manager or another user with compliance management privileges can create a compliance profile. See Managing Compliance Profiles.
Successful authentication to target hosts is a requirement for compliance scans. Authentication records identify credentials used to authenticate to target hosts during scans. If authentication to a host is not successful, then no controls can be evaluated for the host and no compliance data can be collected for the host. If authentication to a host is successful, then the host can be evaluated for compliance. See Getting Started with Trusted Scanning and Additional Requirements for Compliance and FDCC Scans.
For scanner appliance users, you'll be required to select a scanner option for the scan task: Default (for default scanner in asset group), External (for external scanners), All Scanners in Asset Group (for scanner parallelization), or a scanner appliance name. Think about which scanner option best applies to the target hosts. See Scanner Appliance Selection for Scans.
File Integrity Monitoring allows you to monitor changes to individual files on your network. To use this feature, create file integrity check controls and add them to your compliance policies, and enable File Integrity Monitoring in a compliance profile and apply that profile to your scan task. See File Integrity Monitoring.
The service provides password auditing controls for identifying 1) user accounts with empty passwords, 2) user accounts with the password equal to the user name, and 3) user accounts with passwords equal to an entry in a user-defined password dictionary. To use this feature, enable Password Auditing in a compliance profile and apply that profile to your scan task. This feature requires the Dissolvable Agent. See Password Auditing.
Windows Share Enumeration checks for Windows shares that are readable by Everyone and returns the number of files for each share on each host. To use this feature, enable Windows Share Enumeration in a compliance profile and apply that profile to your scan task. This feature requires the Dissolvable Agent. See Windows Share Enumeration.
Scan by Hostname is a subscription-level feature that allows users to scan hosts by their DNS and/or NetBIOS hostnames. The hostnames are assigned to asset groups, which can be selected as part of the scan target. See Scan by Hostname.
If you scan an IP address that is assigned a tracking method of DNS or NetBIOS hostname, then the service must be able to resolve the target IP address to a hostname. If the hostname is not resolved, then the host will not be scanned and security audit results will not be reported. See Tracking Method.