Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

5 Ways to Protect Scanning Credentials for Windows Hosts

This is the second installment in our three-part series exploring how to use Tenable products to protect credentials used for network assessments. Here, we provide specific guidance for Microsoft Windows systems.

In my last post, I covered general best practices for protecting credentials when performing network assessments. When it comes to protecting credentials in a Microsoft Windows Active Directory environment, though, we have specific guidance.

Please note that enabling some of these controls may affect other parts of your network and systems. Before you implement any of these changes, you should test all settings thoroughly to determine if they are appropriate for your environment. Not all organizations will be able to implement all these settings. When configuring service account(s) for use in credentialed scanning, below are some key considerations unique to Windows hosts.

5 tips for credentialed scanning of Windows hosts

  1. Disable interactive log on.
    Usually, accounts used for remote administrative authentication, like Nessus performs, don’t need to behave like a standard user account. To this end, enabling functionality that prevents unnecessary access like “Deny log on locally ” or “Deny log on through Remote Desktop Services” is a good idea. 
  2. Restrict delegated access.
    Like interactive logon, Microsoft allows account privileges to be delegated under certain circumstances to enable specific functionality. This is not necessary for vulnerability scanning and should be disabled.
    Restricting Delegated Access
  3. Add the account to the “Protected Users” group.
    If your Active Directory (AD) domain supports it, the “Protected Users” group adds additional security to how credentials are treated when authenticating to a host. The controls provided to this group are especially important if you can’t take advantage of all the other suggestions listed here. If your domain doesn’t support this functionality yet, try to implement the controls it provides individually where possible.
  4. Secure SMB protocols.
    It seems every few years, there’s a new critical vulnerability in the SMB protocol or the network services that live behind it. While keeping up-to-date on patches is critical, you can make several proactive configuration changes to further secure this service:
  5. Prioritize or force Kerberos authentication.
    Kerberos is the authentication protocol of choice for modern Windows systems. It has several benefits over NTLM, including preventing relay attacks, and is relatively easy to implement. By default, Nessus will disable the use of insecure protocols like NTLMv1 and LM. 

Things to avoid:

  • Do not use Domain Admin accounts (and other “High” privileged accounts).
    Accounts in the “Domain Admin” group are extremely powerful and should be tightly controlled and restricted. Nessus does not require Domain Admin level privilege (or any domain-wide privilege) for remote network scanning, it only requires administrative access to the local machine being assessed.
  • Do not use domains as security boundaries.
    In AD, different domains that are part of one forest are not segmented. A compromise in one almost always means the entire forest is compromised. Segregating your privileged accounts and systems into another forest is essential. If using domain credentials to authenticate, especially if using higher-privileged accounts, ensure they’re part of a separate forest.
  • Do not reuse accounts between scanning and users or other IT operations.
    I noted this tip in our general best practices, but it deserves repeating. Accounts should be single-use.

In the next installment of this three-part series, I’ll discuss ‘nix credentialed assessments and options for securing that process.

Note: There are alternatives to credentialed network scanning, such as agents and passive assessments

Learn More

Read the online documentation:

Other blog posts in this series: 

Explore related webinars:

Watch how-to videos:

Request a demo or free trial

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training