Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking Windows Authentication Scan Results

by Cesar Navas
June 11, 2019

When scanning the network, organizations often have several layers of authorization and, therefore, require different permissions.  All too oftentimes credentials that work on one system do not work on another. This Assurance Report Card (ARC) provides the ability to report and analyze Windows systems based on their authentication status.  

When managing a large enterprise, problems often arise when verifying the validity of a vulnerability scan. Due to the use of several different administrative accounts, a scan job could use several different accounts for a single authentication protocol.  Each protocol (i.e. Server Message Block (SMB) or Secure Shell (SSH)) could have a different credential.  A symptom of the complexity of the authentication problem is a Linux computer could run SAMBA and appear like a Windows computer.   While Tenable.sc and Nessus can sort this information out, combing through the data is often challenging.  Through the use of Dynamic Assets, Tenable.sc is able to group devices together for a comparative analysis.  Using the ARC, Tenable.sc provides advanced analysis capabilities to facilitate and easily distribute this functionality to organizations.  

This ARC presents a series of policy statements which together can be used to troubleshoot, fix, and verify authenticated scan results on Windows systems. The policy statements are grouped so that the analyst can focus on issues related to OS Detection, Authentication Errors, and Authentication Success.  This ARC starts by first identifying systems that are scanned by Nessus that are suspected of running a Windows operating system.  The next 3 policy statements provide a list of systems that are identified as Windows computers using operating system enumeration techniques.  Two of the three policies check for the confidence level.  To ensure that systems are in fact Windows, one policy checks for a level 95 or higher, resulting in a high certainty the target is in fact a Windows computer.  The remaining two operating system statements identify targets that should be investigated for accuracy.  These inaccuracies can be caused by bad credentials, hardening, proxy services, and other issues.  These operating system statements provide the analyst with a method to identify systems that are in need of scan validation troubleshooting.  

The next 3 policy statements focus on authentication errors. The fifth policy statement provides a list of suspected Windows systems where no authentication attempt was recorded.  This could be due to a closed port, firewall policy, or another issue. This statement helps analysts find the systems where no valid credentials were used, and therefore the scan data is not as reliable.  The next policy statement shows a list of Windows systems with authentication failures. These systems should be investigated for proper authentication.

The remaining policy statements report on the different levels of authentication success.  Sometimes, even when authentication is successful, there are still problems with scan results.  These policy statements help to identify problems related to permissions. Many times, a system may be scanned with valid credentials, but the account used may not have access to the registry or other files on the target.  Using this ARC, Tenable.sc provides analysts with a clear view of systems with successful credentials that may still have authentication problems.

This ARC is available in the Tenable.sc feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Compliance category. The ARC requirements are as follows:

  • SecurityCenter 5.8.2
  • Nessus 8.2.2

This ARC provides the organization with clear and simplified method to identify Windows systems for analysis.  By first Discovering the Windows systems from the scanned devices, the ARC can then assess the operating systems of the targets to ensure the devices are running Windows.  Then, the data is Analyzed for proper authentication, which facilitates the Fix and Measuring steps to the Cyber Exposure Lifecycle.  Tenable.sc is the On-Prem solution for understanding a comprehensive picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

ARC Policy Statements

1. Number of systems scanned suspected to be Windows systems: This policy statement displays a ratio number of the suspected Windows system compared to the total number of systems scanned.  The policy uses plugins that are common amongst a majority of Windows systems that focus on Remote Desktop Protocol (RDP) and SMB services.  Compliance for this policy is Any matching the policy.  

2. OS Detection: Suspected Windows Systems where OS detection was not successful: This policy identifies systems that were scanned and found to have SMB or RDP services, but for some reason the Operating System was not discovered.  Systems that match this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Windows computer.  Compliance for the policy is No matching systems.

3. OS Detection: Less than 6% of Windows Systems where OS detection confidence level was less than 95: This policy identifies systems that were scanned and found to have SMB or RDP services, however, to a degree, Nessus was not confident of the operating systems.  The matching systems are most likely running a version of Windows, but the version could be new or the authentication could have been invalid.  Systems matched by this policy should be investigated for misconfiguration, valid login credentials, or for proper identification as a Windows computer.  Compliance for the policy is less than 6% matching systems, which allows for new systems that are found to be on the network.

4. OS Detection: Greater than 94% of Windows Systems where OS detection confidence level was greater than 94: This policy identifies systems that were scanned and found to have SMB or RDP services. Nessus is confident of the identified operating system.  The matching systems are running a version of Windows.  Compliance for the policy is greater than 94% matching systems.

5. Authentication Errors: Suspected Windows Systems with no authentication attempts recorded: This policy identifies systems with no matching authentication plugins.  This could mean no suitable protocol was presented to Nessus, no credentials where available for the operating system, or another issue is present.  These systems should be investigated and special attention should be paid to how the operating system was detected and what condition exists that prevents proper authentication attempts. Compliance for the policy is No matching systems.

6. Authentication Errors: Suspected Windows Systems with Authentication Success due to NULL Session: This policy statement provides the analysts with systems that are grossly misconfigured and allow for a NULL session during authentication to the SMB service.  These systems pose a grave danger to the security of the network and should immediately be removed and properly configured.  Compliance for the policy is No matching systems.

7. Authentication Errors: Systems identified as Windows and Authentication Failures: This policy identifies systems where the operating system is correctly identified, however, the credentials provided with the scan failed to allow Nessus to login correctly.  Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue.  The vulnerability data collected on this system should be considered incomplete.  Compliance for the policy is No matching systems.

8. Authentication Success: No Systems identified as Windows with Authentication Success and Authentication Failures: This policy identifies systems where the operating system is correctly identified and with authentication success, however, the credentials provided with the scan failed to allow Nessus to login correctly.  Invalid credentials, incompatible protocol settings, or other similar problems could cause this issue.  The vulnerability data collected on this system should be considered incomplete.  Compliance for the policy is No matching systems.

9. Authentication Success: Systems identified as Windows with Local Checks disabled: This policy provides a list of systems that have been successfully authenticated; however, local checks were not enabled. While these systems should be considered successfully authenticated, there could be missing vulnerability data. System administrators should investigate these systems for misconfiguration. This policy statement displays a ratio number of the systems so identified compared to the total number of Windows systems with Local Checks enabled. Compliance for the policy is No matching systems.

10. Authentication Success: Less than 6% of Systems with Local Checks Enabled & Errors: This policy provides a list of systems that have been successfully authenticated, however, there were recorded problems related to permissions or access to any number of resources.  While these systems should be considered successfully authenticated, there could be missing vulnerability data.  System administrators should investigate these systems for misconfiguration or possible insufficient privileges for the scan account.  Compliance for the policy is less than 6% matching systems, which allows for new systems that are found to be on the network.

11. Authentication Success: Greater than 95% Systems with Successful Authentication, Local Checks, and without Errors: This policy identifies the majority of systems on the network. Analysts can rely on the vulnerability data collected for these targets.  Nessus was able to login and collect missing patches, compliance settings, and many other risk indicators based on the applied scan policies.  Compliance for the policy is greater than 94% matching systems.

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.