AlienVault® USM Anywhere™

System Settings for Authenticated Scans

An authenticated scan is a vulnerability testing measure performed from the vantage of a logged-in user. The quality and depth of an authenticated scan depends on the privileges granted to the authenticated user account. The following are the recommended system settings for creating a designated account for authenticated scans.

Asset Scan Credentials and Escalation Options
Operating System Methods and Credentials Escalation
Windows Windows username and password through Windows Remote Management (WinRM) None
Linux SSH password or public key authentication sudo, su, Cisco IOS Enable Password

Commands Running in the Authenticated Vulnerability Scans

When you run an authenticated scan in USM Anywhere, there are multiple commands executing at the same time. These commands change constantly and there are new definitions released every day. You can also verify which commands have been executing at any given moment.

Cisco

Cisco devices require Level 15 privileges, similar to root, for running a vulnerability scan. You can log in as a particular user and through the Cisco IOS enable password escalation, you can elevate to level 15 privileges, with the user using a separate password. See Scan Target Platform Support for more information.

Linux

In UNIX systems, USM Anywhere connects to the target hostReference to a computer on a network. through SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). and it runs a set of commands to determine if there is a vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.. By default, USM Anywhere allows creating credentials with sudo privilege escalationA type of vulnerability where the attacker can escalate their user privilege from user level to system account privileges, such as root or administrator.. It is possible as well to log inLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. as a particular user, and then provide su escalation privileges, which will execute every command as a rootHigh-level user account with full administrative privileges. user.

Windows

USM Anywhere uses, with Windows targets, Windows Remote Management (WinRM) framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows machine, USM Anywhere is unable to connect. Also, the Windows domain name cannot have a dot in it.

Note: Only the members of the Remote Management Users and Administrators groups can log in through Web Services for Management (WS-Management). WS-Management authentication uses the sAMAccountName, which is limited to 20 characters.

Important: The MaxConcurrentOperationsPerUser parameter in WinRM must be greater than or equal to three, ideally 10 or 15.

Important: The MaxMemoryPerShellMB parameter must be set to 1024.

General System Configurations Overview
Windows Configurations Settings
General System Configurations
  • Designated domain controller account
  • Windows Management Instrumentation (WMI) Service enabled on target
  • Remote Registry enabled on target
  • File and printer sharing must be enabled in the target’s network configuration
Group Configurations
  • Designated security group
  • Group scope: Global Scope
  • Group type: Secure
  • Generate registry key
Policy Configurations
  • Designated policy object
  • Policy contains designated domain controller account
  • Designated security group is assigned to policy
  • User rights: Allow local log on, log on through remote desktop services, and write privileges
  • Permissions: Deny permissions for Set Value, Create Subkey, Create Link, Delete, Change Permissions, and Take Ownership

Creating a Windows Admin Account

AT&T Cybersecurity recommends that the Admin create a designated administrator account solely for the authenticated scans rather than using an established administrator account or a guest account. Create the Windows account using the name AV Authenticated Account and a secure password. The account configuration must be set to Classic: local users authenticate as themselves.

See Creating Credentials for Vulnerability Scans for more information about creating credentials for authenticated scans in USM Anywhere.

Rights and Permissions for Using WinRM

The most important aspect about Windows credentials is that the account used to perform the scans should have privileges to access all required files and registry entries, which in many cases means administrative privileges.

Important: For a Windows server that is hardened according to the Center for Internet Security (CIS) benchmarks, such as the CIS Amazon Machine Image (AMI) for Microsoft Windows Server 2016 available in the AWS Marketplace, there are local group policies that block these connectivity requirements. For these servers, you must open the port and re-enable WinRM and remote access on each boot of the server.

Important: The account used to log in to the target system must have remote and local log-on rights. See Setting Log on Locally and the Security Policy for more information.

Important: Enable the group policy Allow Remote Shell Access in the Group Policy settings.

The assets included in your environment should have the default company security policy. However, there are some configuration options that you can enable that can help you to get a better result when you are performing authenticated scans against Windows systems. These are the options:

  • Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
  • Using the Run prompt, run gpedit.msc and enable Group Policy Object Editor. Go to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall. Enable Allow inbound file and printer exception.
  • While in the Group Policy Object Editor, go to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. This option must be set to either Disabled or Not Configured.
  • Windows User Account Control (UAC) must be disabled. To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to Off. Alternatively, you can add a new registry DWORD named LocalAccountTokenFilterPolicy and set its value to 1. This key must be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy.
  • The Remote Registry service must be enabled; it is disabled by default.

Setting Log on Locally and the Security Policy

USM Anywhere enables you to add a Windows Remote Management (WinRM) credential. The account you use to log in to the target system must have remote and local logon rights.

Important: Set the local logon rights to avoid large numbers of processes and large amounts of memory usage.

To set the local log on rights1These instructions may vary depending on your Windows version.

  1. Select Start > All Programs > Accessories > Run and enter gpedit.msc to open the Local Group Policy Editor.
  2. Edit Group Policy

  3. In the console tree, select Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
  4. Local Group Policy Editor

  5. Click Allow log on locally to open its properties.
  6. The Log On Properties

  7. Assign the rights to your user.
  8. Click OK.