Documentation Center
AlienVault® USM Appliance™

System Settings for Authenticated Scans

Applies to Product: USM Appliance™ AlienVault OSSIM®

An authenticated scan is a vulnerability testing measure performed from the vantage of a logged-in user. The quality and depth of an authenticated scan depends on the privileges granted to the authenticated user account. The following are the recommended system settings for creating a designated account for authenticated scans.

Asset Scan Credentials and Escalation Options
Operating System Methods and Credentials Escalation
Windows Windows username and password through Windows Remote Management None
Linux SSH password or public key authentication sudo or su

Windows

General System Configurations Overview
Windows Configurations Settings
General System Configurations
  • Designated domain controller account
  • WMI Service enabled on target
  • Remote Registry enabled on target
  • File and printer sharing must be enabled in the target’s network configuration
Group Configurations
  • Designated security group
  • Group scope: Global Scope
  • Group type: Secure
  • Generate registry key
Policy Configurations
  • Designated policy object
  • Policy contains designated domain controller account
  • Designated security group is assigned to policy
  • User rights: Deny local log on, log on through remote desktop services, and write privileges
  • Permissions: deny permissions for Set Value, Create Subkey, Create Link, Delete, Change Permissions, and Take Ownership

Creating a Windows Admin Account

AlienVault recommends that the Admin create a designated administrator account solely for the authenticated scans rather than using an established administrator account or a guest account. Create the Windows account using the name AV Authenticated Account and a secure password. The account configuration must be set to Classic: local users authenticate as themselves.

For more information about creating credentials for authenticated scans in USM Appliance, see Creating Credentials for Vulnerability Scans.

Creating a Security Group

To create a security group

  1. Log in to the Active Directory on the Domain Controller.

  2. Go to Start > Programs > Administrative Tools > Active Directory Users and Computers.

  3. Click Select Action > New > Group to create a new security group.

  4. Name the group AlienVault Authenticated Scan.

  5. For Group scope select Global scope.

  6. For Group type select Security.

  7. Click OK to add the group.

    Details on the creation of a new security group.

  8. Add the account that you will be using for the authenticated scans to the AlienVault Authenticated Scan group.

To create a group policy

  1. Click Start > All Programs > Accessories > Run and type gpmc.msc in the text box to open the Group Policy Management Console.

  2. In the Group Policy Management window, right-click Group Policy Objects and select New.

  3. Name the policy AlienVault Security Rights and click OK.

    Set up a new GPO in Group Policy Management.

  4. In the Group Policy Management Editor, click the AlienVault Security Rights policy to open the policy in the right panel. Click on the Scope tab, and then in the Security Filtering section, click Add to insert the group. In the Enter the object name to select field, add the AlienVault Authenticated Scan group to the policy and click OK.

Configuring Policies

The following configurations are optional steps you can take in the Group Policy Management Editor to remove unnecessary user rights. These steps are not required for running the authenticated scans, but they do provide extra measures of internal security.

To deny local logins

  1. Right-click on the AlienVault Security Rights policy and select Edit.

  2. In User Rights Assignment, double-click Deny log on locally.

  3. Click on Add User or Group.

  4. Click Browse, enter AlienVault Authenticated Scan, and click Check Names.

  5. Click OK.

    Deny local log ins with the Group Policy Management Editor.

To deny Remote Desktop Services log

  1. Right-click the AlienVault Security Rights policy and select Edit.
  2. In User Rights Assignment, double-click Deny log through Remote Desktop Services.
  3. Click the checkbox for Define these policy settings.
  4. Click Add User or Group.
  5. Click Browse, enter AlienVault Authenticated Scan and click Check Names.
  6. Click OK.

To configure permissions

  1. Right-click File Systems and select Add File.

    Click Add File in File Systems

  2. Enter %SystemDrive%.

  3. Click Add under Group or user names.

  4. Enter AlienVault Authenticated Scan.

  5. Click OK.

  6. Select the authenticated user in the AlienVault Authenticated Scan group.

  7. Uncheck any permissions that are marked in the Allowed column, and click Deny for the Write permission.

  8. Click OK.

  9. In the Object window, select Configure this file or folder then and Propagate inheritable permissions to all subfolders and files and then click OK.

To configure registries

  1. Click Registry and select Add Key.

  2. Select Users and click OK.

  3. Click Advanced and then click Add.

  4. Enter the AlienVault Authenticated Scan group and click OK.

  5. In the Permissions Entry Objects window's Apply to field, and select This object and child objects.

  6. In the Permissions section below, click the Deny checkboxes for Set Value, Create Subkey, Create Link, Delete, Change Permissions, and Take Ownership. No checkboxes should be set to Allow.

  7. Click OK and confirm the changes.

    Full display of all windows showing configurations and permissions

  8. Select Configure this key then and Propagate inheritable permissions to all subkeys radio buttons and click OK.

  9. Repeat these steps for the Machine and Classes Root Registries as well.

Linux

To perform authenticated scans on USM Appliance from a Linux system, the user must have root privileges. The Linux login is performed through SSH, while USM Appliance performs the authentication either with a password or an SSH Key stored in USM Appliance. The Linux account used for authenticated scans must be able to perform uname commands and read and execute Debian (.deb and .dpkg) or Red Hat (.rpm) files. Public Key Authentication must not be prohibited by the SSH daemon with the line PubkeyAuthentication no.

For more information about creating credentials for authenticated scans in USM Appliance, see Creating Credentials for Vulnerability Scans.