When and when not to use Credentials for Nessus scans

Tenable consistently gets questions as to when a user should perform a vulnerability scan with credentials. Nessus 3 can perform extensive host-based configuration and patch audits on most flavors of UNIX and Windows. This blog entry will help Nessus users understand when and why they should consider using credentials when performing scans.

Testing for Client Vulnerabilities 

Most network clients like Mozilla, Eudora and Outlook do not have network ports that are open for probing by a remote Nessus scanner. Some client applications, such as various P2P and communication tools, do have network ports that are open for analysis by Nessus. However, for 100% coverage of all local client vulnerabilities, a credentialed Nessus scan is the best choice.

If auditing client vulnerabilities is of interest, you might want to consider Tenable's Passive Vulnerability Scanner which can sniff this sort of information out of regular network traffic.

Testing for Compliant Configurations

If you are a Nessus 3 Direct Feed subscriber, or have the Security Center deployed, if you want to audit your UNIX and Windows configurations against a known "best practice" configuration, you need to have credentials.

Testing for Specific Patches

When a Nessus network check is written by Tenable, we have to consider the most common deployment case of a particular application. For example, if a vulnerability is discovered in an Apache web server, Nessus will report it. However, a pure scan on port 80 might not have enough information to conclude if the Apache server was installed on RedHat by an RPM, on FreeBSD through a package or even as an executable on a Windows server. The point is that although Nessus will likely recommend an upgrade to a newer version of Apache, for a well managed server, a network check might not point out the specific patch needed.

For 100% coverage of needed patches, you should configure your Nessus scanner with credentials. This will provide specific patches that need to be applied. This also allows your IT people who might not know about the particular application's security issues or revisions to conduct an upgrade within their regular patching process.

Testing from a Malicious Adversary's Point of View

Running a regular network scan from outside your firewall, across a VPN or between departments will show you exactly what an adversary or hostile insider might see. These scans should be performed without credentials (although you should consider what would happen if an insider or outsider does know your domain passwords). A full network scan should exercise all exposed ports and applications and expose them to an audit of the more than 11,000 plugins currently available to Nessus users.

Using Nessus to test an IDS, IPS or Smart Firewall

Using credentials to audit a system protected by a security device won't really exercise the device at all. Either it will likely pass the connection attempt or block it. However, Nessus can perform many types of reconnaissance, enumeration and identification of vulnerabilities on a network. The techniques Nessus uses are similar to the type of techniques an IDS or IPS may be configured to look for.

Also the load, variety and content of the scanning traffic is something that can be used to test the robustness of the security device. Be sure to make sure you try scanning both through the device as well as scanning the device itself.

Testing for Worms, Backdoors and Trojans

Tenable does write plugins for Nessus that do look for evidence of the major worms and trojans, but you should not consider a Nessus scan as a replacement for your SpyWare or Anti-Virus solutions. Having said that, some network scans to look for various "worm" ports such as Sasser's FTP server. Some local checks (such as Nessus plugin #11329) do attempt to identify registry settings and values set by different worms. For large scale scans, this can help identify some infected servers.  Credentials are need to perform these "local" audits.