Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

Asking for Credentials from IT

If you are not part of the IT group, you may have to ask someone for the right credentials to perform patch and configuration audits with Nessus. This blog entry will offer some advice and strategies to consider when attempting to obtain access to the devices for auditing.

Who Doesn't Have Credentials?

If your organization has mandated security audits, they may have also mandated that credentials be provided to the group performing network scans. If your group is like this, then this blog entry isn't for you. However, you should realize that there are still many organizations where the "audit" group doesn't have full access to the devices they are scanning.

Benefits for IT from Credentialed Scanning

Credentialed audits can show a variety of "good" news about an IT group.

If systems are being patched on a regular basis, then a patch audit won't find many problems. This can show IT management an independent confirmation of how their network is being operated.

When missing patches are found, they are 100% accurate and actionable. This is not to say that a network scan isn't accurate (Tenable shoots for 100% accuracy), but Nessus network scans don't immediately tell you which patch to apply. A vulnerable version of Apache could have any number of potential fixes, but with credentials, the exact missing security patch(es) can be discovered. This is also more efficient to task an IT administrator with. Rather than saying "upgrade Apache" which is ambiguous, someone can say "apply patch #4637".

Credentialed scans can identify and list all of the UNIX and Windows software that has been installed. If you are viewing the data in the Security Center, then the results can be searched or even used to create dynamic asset lists of systems that have certain types of software installed. We've recently blogged about this concept.

And finally, if you are managing your Nessus scanners with the Security Center or subscribed to the Direct Feed, a configuration audit can be performed. If an IT group is managing all of their system configurations centrally, then these audits should independently show consistency and conformity to a global policy. Even if no strict corporate configuration polices are enforced, auditing systems against various government standards for passing and failing settings can also highlight where an IT organization has performed well.

Know What To Ask For

For Windows audits, asking for full domain administrator rights does give Nessus enough credentials to perform its audits, but this sort of request can be unfathomable to an IT group. Instead, Tenable recommends two strategies.

First, consider asking for access to the "backup" account. This account likely has access to read both files and system settings. Second, consider asking for a specific "audit" account be created with similar read-only access. A dedicated "audit" account has the advantage of showing up in the logs and instantly being recognized by everyone in IT as a potentially approved activity.

For UNIX, Nessus supports SSH passwords and public/private keys. For patch auditing, root access is recommended but not mandatory. Be aware the some more secure UNIXes (such as Trusted Solaris) may require root to obtain a package list.

For UNIX configuration auditing, keep in mind that appropriate access is required. For example, a file owned by root might only be "readable" by a root user or someone in the "wheel" group.

Sharing Data With IT

If you do have access to IT and perform scans, sharing the data, or even making sense of it, can be difficult.

Some organizations let IT perform their own scans, and this is great from a "self test" perspective, but self audits are not reliable and should be performed by a 3rd party not involved in the day-to-day operation of the network.

If an audit group performs ad-hoc scans on a set schedule of keys assets and shares the results with asset owners, the right data can be sent to the right people in a timely manner. There is overhead through tracking the need for performing re-scans, tracking which systems should be scanned and even which people in IT have the right to see or review the data.

Tenable offers the Security Center which can be used to centralize scanning, scan results, analyzing the data and tracking which systems need to be re-scanned. Only the specific users of certain IT assets can see the results for those assets. The Security Center can also offer IDS event viewing and log analysis to the same IT users.

If you can't get Credentials

If you are faced with performing network audits without access to system credentials, what are you facing? Several things:

There will be less information on specific client-side (such as Internet Explorer and Mozilla) vulnerabilities. Some clients (such as iTunes) do have network services that Nessus can discover and reliably identify.

The vulnerabilities found will be very accurate, but sometimes very generic. As in the Apache example discussed above, knowing a vulnerability and knowing a patch are two different things. Typically, Nessus network scans can tell you that an upgrade is required, but not the specific patches that are missing. One exception to this rule is while scanning Windows network services. Very often, Nessus will be able to determine the exact patch required, even without credentials.

If things haven't been locked down, don't be surprised if your Nessus scan reports some patch audits. If you have an Admin account on Windows that is not password protected, or similarly with a Guest account, Nessus may be able to use those credentials when performing a scan.

If the audit group does have access to part of the domain with (such as a regular user's username and password), this type of account may be enough to audit other Windows systems on the domain. It all depends on how locked down the network it.

Lastly, if credentials are not available, consider deploying the Passive Vulnerability Scanner alongside your Nessus scanners. This sniffer can find many client and server side vulnerabilities without any scanning at all. It also integrates seamlessly with the Security Center for centralizing active, passive and credentialed vulnerability and configuration data into one spot. If data obtained passively is contrary to what IT is claiming (i.e., they may claim that all web browsers are patched, but sniffing clearly shows older versions of Mozilla) this may also be enough evidence to convince management to allow auditing with full credentials.

For More Information

If performing credentialed audits with Nessus is a new concept for you, a good place to start is the  Nessus Credentialed Checks for UNIX and Windows paper.  To help understand the advantages and limitations of active scanning, credentialed scanning and passive network monitoring, please read the Blended Security Assessments paper.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.