Tracking Windows Authentication Scan Results

When scanning the network, organizations often have several layers of authorization and, therefore, require different permissions.  All too oftentimes credentials that work on one system do not work on another. This Assurance Report Card (ARC) provides the ability to report and analyze Windows systems based on their authentication status.  

When managing a large enterprise, problems often arise when verifying the validity of a vulnerability scan. Due to the use of several different administrative accounts, a scan job could use several different accounts for a single authentication protocol.  Each protocol (i.e. Server Message Block (SMB) or Secure Shell (SSH)) could have a different credential.  A symptom of the complexity of the authentication problem is a Linux computer could run SAMBA and appear like a Windows computer.   While Tenable.sc and Nessus can sort this information out, combing through the data is often challenging.  Through the use of Dynamic Assets, Tenable.sc is able to group devices together for a comparative analysis.  Using the ARC, Tenable.sc provides advanced analysis capabilities to facilitate and easily distribute this functionality to organizations.  

This ARC presents a series of policy statements which together can be used to troubleshoot, fix, and verify authenticated scan results on Windows systems. The policy statements are grouped so that the analyst can focus on issues related to OS Detection, Authentication Errors, and Authentication Success.  This ARC starts by first identifying systems that are scanned by Nessus that are suspected of running a Windows operating system.  The next 3 policy statements provide a list of systems that are identified as Windows computers using operating system enumeration techniques.  Two of the three policies check for the confidence level.  To ensure that systems are in fact Windows, one policy checks for a level 95 or higher, resulting in a high certainty the target is in fact a Windows computer.  The remaining two operating system statements identify targets that should be investigated for accuracy.  These inaccuracies can be caused by bad credentials, hardening, proxy services, and other issues.  These operating system statements provide the analyst with a method to identify systems that are in need of scan validation troubleshooting.  

The next 3 policy statements focus on authentication errors. The fifth policy statement provides a list of suspected Windows systems where no authentication attempt was recorded.  This could be due to a closed port, firewall policy, or another issue. This statement helps analysts find the systems where no valid credentials were used, and therefore the scan data is not as reliable.  The next policy statement shows a list of Windows systems with authentication failures. These systems should be investigated for proper authentication.

The remaining policy statements report on the different levels of authentication success.  Sometimes, even when authentication is successful, there are still problems with scan results.  These policy statements help to identify problems related to permissions. Many times, a system may be scanned with valid credentials, but the account used may not have access to the registry or other files on the target.  Using this ARC, Tenable.sc provides analysts with a clear view of systems with successful credentials that may still have authentication problems.

This ARC is available in the Tenable.sc feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Compliance category. The ARC requirements are as follows:

• SecurityCenter 5.8.2
• Nessus 8.2.2

This ARC provides the organization with clear and simplified method to identify Windows systems for analysis.  By first Discovering the Windows systems from the scanned devices, the ARC can then assess the operating systems of the targets to ensure the devices are running Windows.  Then, the data is Analyzed for proper authentication, which facilitates the Fix and Measuring steps to the Cyber Exposure Lifecycle.  Tenable.sc is the On-Prem solution for understanding a comprehensive picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

ARC Policy Statements

1. Number of systems scanned suspected to be Windows systems - This policy statement displays a ratio number of the suspected Windows system compared to the total number of systems scanned.  The policy uses plugins that are common amongst a majority of Windows systems that focus on Remote Desktop Protocol (RDP) and SMB services.  Compliance for this policy is Any matching the policy.  

2. OS Detection: Suspected Windows Systems where OS detection was not successful - This policy identifies systems that were scanned and found to have SMB or RDP services, but for some reason the Operating System was not discovered.  Systems that match this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Windows computer.  Compliance for the policy is No matching systems.

3. OS Detection: Less than 6% of Windows Systems where OS detection confidence level was less than 95 - This policy identifies systems that were scanned and found to have SMB or RDP services, however, to a degree, Nessus was not confident of the operating systems.  The matching systems are most likely running a version of Windows, but the version could be new or the authentication could have been invalid.  Systems matched by this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Windows computer.  Compliance for the policy is less than 6% matching systems, which allows for new systems that are found to be on the network.

4. OS Detection: Greater than 94% of Windows Systems where OS detection confidence level was greater than 94 - This policy identifies systems that were scanned and found to have SMB or RDP services. Nessus is confident of the identified operating system.  The matching systems are running a version of Windows.  Compliance for the policy is greater than 94% matching systems.

5. Authentication Errors: Suspected Windows Systems with no authentication attempts recorded - This policy identifies systems with no matching authentication plugins.  This could mean no suitable protocol was presented to Nessus, no credentials where available for the operating system, or another issue is present.  These systems should be investigated and special attention should be paid to how the operating system was detected and what condition exists that prevents proper authentication attempts. Compliance for the policy is No matching systems.

6. Authentication Errors: Suspected Windows Systems with Authentication Success due to NULL Session - This policy statement provides the analysts with systems that are grossly misconfigured and allow for a NULL session during authentication to the SMB service.  These systems pose a grave danger to the security of the network and should immediately be removed and properly configured.  Compliance for the policy is No matching systems.

7. Authentication Errors: Systems identified as Windows and Authentication Failures - This policy identifies systems where the operating system is correctly identified, however, the credentials provided with the scan failed to allow Nessus to login correctly.  Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue.  The vulnerability data collected on this system should be considered incomplete.  Compliance for the policy is No matching systems.

8. Authentication Success: No Systems identified as Windows with Authentication Success and Authentication Failures - This policy identifies systems where the operating system is correctly identified and with authentication success, however, the credentials provided with the scan failed to allow Nessus to login correctly.  Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue.  The vulnerability data collected on this system should be considered incomplete.  Compliance for the policy is No matching systems.

9. Authentication Success: Systems identified as Windows with Local Checks disabled - This policy provides a list of systems that have been successfully authenticated; however, local checks were not enabled. While these systems should be considered successfully authenticated, there could be missing vulnerability data. System administrators should investigate these systems for misconfiguration. This policy statement displays a ratio number of the systems so identified compared to the total number of Windows systems with Local Checks enabled. Compliance for the policy is No matching systems.

10. Authentication Success: Less than 6% of Systems with Local Checks Enabled & Errors - This policy provides a list of systems that have been successfully authenticated, however, there were recorded problems related to permissions or access to any number of resources.  While these systems should be considered successfully authenticated, there could be missing vulnerability data.  System administrators should investigate these systems for misconfiguration or possible insufficient privileges for the scan account.  Compliance for the policy is less than 6% matching systems, which allows for new systems that are found to be on the network.

11. Authentication Success: Greater than 95% Systems with Successful Authentication, Local Checks, and without Errors - This policy identifies the majority of systems on the network. Analysts can rely on the vulnerability data collected for these targets.  Nessus was able to login and collect missing patches, compliance settings, and many other risk indicators based on the applied scan policies.  Compliance for the policy is greater than 94% matching systems.