When running a scan in USM Anywhere, you have the option to run it with, or without, authenticationProcess used to verify the identity of a user, user device, or other entity, usually through a username and password..
When running a scan without authentication USM Anywhere probes the network services available on the target machine. Using known protocol behaviors, it attempts to identify the software that is running as well as the configuration and version. With this information, the engine then attempts to match the identified software with the known vulnerabilities to produce a report. The benefits of this approach are that the detection can be very specific in order to identify known vulnerable behavior.
When you choose to run a scan with authentication, your credentials allow the engine to actually query the running machine to get very detailed and accurate information about the running software and its configuration. This prevents false positivesA condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning on detection technology. from misidentified services that can sometimes occur in the unauthenticated approach. In addition, an authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges. ensures that all services and software are analyzed — regardless of whether the service is currently running or accessible from the network.
- In UNIX systems, USM Anywhere connects to the target hostReference to a computer on a network. through SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP. and it runs a set of commands to determine if there is a vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.. By default, USM Anywhere allows creating credentials with
sudoprivilege escalationA type of vulnerability where the attacker can escalate their user privilege from user level to system account privileges, such as root or administrator.. It is possible as well to log inLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. as a particular user and then, provide
suescalation privileges, which will execute every command as a rootHigh-level user account with full administrative privileges. user.
With Cisco devices, you typically need Level 15 privileges, similar to root. You can log in as a particular user and through the Cisco IOS Enable Password escalation you can elevate to level 15 privileges, with the user using a separate password.
- With Windows targets, USM Anywhere uses WinRM framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows machine USM Anywhere will be unable to connect.
Note: Only the members of the Remote Management Users and Administrators groups can log in through WS-Management.
Rights and Permissions for Using WinRM
The most important aspect about Windows credentials is that the account used to perform the scans should have privileges to access all required files and registry entries, which in many cases means administrative privileges.
Important: For a Windows server that is hardened according to CIS benchmarks, such as the CIS AMI for Microsoft Windows Server 2016 available in the AWS Marketplace, there are local group policies that block these connectivity requirements. For these servers, you must open the port and re-enable WinRM and remote access on each boot of the server.
The assets included in your environment should have the default company security policy. However, there are some configuration options that you can enable that can help you to get a better result when you are performing authenticated scans against Windows systems. These options are
- Under Windows Firewall > Windows Firewall Settings, enable File and Printer Sharing.
- Using the Run prompt, run
gpedit.mscand enable Group Policy Object Editor. Navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile > Windows Firewall : Allow inbound file and printer exception and enable it.
- While in the Group Policy Object Editor, navigate to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain. This option must be set to either Disabled or Not Configured.
- Windows User Account Control (UAC) must be disabled. To turn off UAC completely, open the Control Panel, select User Accounts and then set Turn User Account Control to Off. Alternatively, you can add a new registry DWORD named LocalAccountTokenFilterPolicy and set its value to “1”. This key must be created in the registry at the following location:
- The Remote Registry service must be enabled; it is disabled by default.
Access Control Matrix
An Access Control Matrix is a table that maps the permissions of a set of subjects to act upon a set of objects within a system. You can use the Access Control Matrix to map permissions to your USM Anywhere.