Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Explore
Products
- NEW!
  Exposure Command
  Take Command of Your Attack Surface
  Request Demo
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The 2024 Attack Intelligence Report
  Read the latest research by Rapid7 Labs
  READ NOW
Company
Partners
Sign In

Nexpose

Platform
- TECHNOLOGY
  The Rapid7 Command Platform
  AI-Powered Cybersecurity Platform
  Explore
Products
- NEW!
  Exposure Command
  Take Command of Your Attack Surface
  Request Demo
- DETECTION & RESPONSE
- Next-Gen SIEM
  INSIGHTIDR
- Threat Intelligence
  THREAT COMMAND
Services
- MXDR
  Managed Threat Complete
  24x7 MXDR to secure your extended ecosystem
  Request Demo
- DETECTION & RESPONSE
- Managed XDR
  MANAGED THREAT COMPLETE
- Incident Response Services
  EXPERIENCING A BREACH?
Resources
- NEW
  The 2024 Attack Intelligence Report
  Read the latest research by Rapid7 Labs
  READ NOW
Company
Partners

Sign In

Documentation
Nexpose
Release Notes

Docs Menu

Get Started

Welcome to Nexpose
Quick Start Guide
- System Requirements
- Download
Tour the Home Page
- Changes to the Security Console Administration page
Service start, stop, and status controls
Nexpose glossary of terms

Sites

What is a site?
Creating your first site
Site creation use cases
Create and edit sites
Giving users access to a site
Adding assets to sites
Best practices for adding assets
Deleting sites
Site Detail View

Scan Engines

Scan Engines
Distributed Scan Engines
Post-Installation Engine-to-Console Pairing
External Scanning Service
Scan Engine Pools
Containerized Scan Engine
AWS Scan Engines
Azure Scan Engines
Scan Engine Communication Methods
Scan Engine Data Collection - Rules and Details

Scan Assistant

Using the Scan Assistant

Scan Templates

Selecting a scan template
Scanning with multiple templates
Scan templates appendix
Authenticated Discovery Scans
Configuring Web spidering

Scan Credentials

Configuring scan credentials
Maximizing security with credentials
Configuring site-specific scan credentials
Managing shared scan credentials
Creating and Managing CyberArk Credentials
Kerberos Credentials for Authenticated Scans
Using SSH public key authentication
Elevating permissions
Database scanning credential requirements
Using LM/NTLM hash authentication
Authentication on Windows: best practices
Authentication on Unix and related targets: best practices
Using PowerShell with your scans

Alerts and Schedules

Setting up scan alerts
Schedule a scan
Schedule scan blackouts
Export your Calendar

Dynamic Discovery

Managing dynamic discovery of assets
Discovering mobile devices
Discovering Amazon Web Services instances
Discovering Microsoft Azure instances
Discovering Virtual Machines Managed by VMware vCenter or ESX/ESXi
Discovering Assets through DHCP Log Queries
Discovering Assets managed by McAfee ePolicy Orchestrator
Discovering vulnerability data collected by McAfee Data Exchange Layer (DXL)
Discovering Assets managed by Active Directory
Creating and managing Dynamic Discovery connections
Initiating Dynamic Discovery
Using filters to refine Dynamic Discovery
Monitoring Dynamic Discovery
Configuring a site using a Dynamic Discovery connection

Other Scanning Resources

Working with Project Sonar
Importing AppSpider scan data
Running a manual scan
Understanding different scan engine statuses and states
Viewing scan results and scan logs
Scan threads and port statuses
Stopping all in-progress scans
Automating security actions in changing environments
Enabling Remote Registry Activation
Working with Containers
Configuring scan authentication on target Web applications
- Creating a logon for Web site form authentication
- Creating a logon for Web site session authentication with HTTP headers
Measuring scan performance and time
Scanning a load balancer
Using the Metasploit Remote Check Service

Assess

Assess
Locating and working with assets
Fingerprint certainty
Applying RealContext with tags
Working with vulnerabilities
Vulnerability metrics explained
Vulnerability exceptions
Policy Manager
Policy rule overrides
Scanning for specific vulnerabilities

Act

Working with asset groups
Performing filtered asset searches
Creating a dynamic or static asset group from asset searches

Reports

Working with reports
Report templates and sections
Creating a basic report
Viewing, editing, and running reports
Working with risk trends in reports
For ASVs: Consolidating three report templates into one custom template
Distributing, sharing, and exporting reports
Configuring data warehousing settings
Configuring custom report templates
Understanding report content
Working with report formats
Report start times and durations
Upload externally created report templates signed by Rapid7

SQL Query Export

Creating reports based on SQL queries
Understanding the reporting data model: Overview and query design
Understanding the reporting data model: Facts
Understanding the reporting data model: Dimensions
Understanding the reporting data model: Functions
SQL Query Export examples

Tune

Tune
Working with scan templates and tuning scan performance
Configuring custom scan templates
Configuring asset discovery
Configuring service discovery
Selecting vulnerability checks
Selecting Policy Manager checks
Configuring verification of standard policies
Configuring scans of various types of servers
Configuring File Searches on Target Systems
Using other tuning options
Managing certificates for scanning
Creating a custom policy
Uploading custom SCAP policies
Risk Strategies
Adjusting risk with criticality
Sending custom fingerprints to paired Scan Engines
Scan property tuning options for specific use cases

Users and Authentication

Managing users and authentication
Setting password policies
Two factor authentication
LDAP authentication
Kerberos authentication
SAML 2.0 authentication
Remove an authentication source from Nexpose
How to reset a password

Manage

Managing the Security Console
Configure HTTPS Options
PostgreSQL 15.6 Database Migration Guide
Planning a deployment
Database Backup, Restore, and Data Retention
Managing versions, updates, and licenses
SCAP compliance
Live Licensing
Setting Up a Sonar Query
Enabling FIPS mode
Using the command console
Troubleshooting
Running the Windows uninstaller
Running the Linux uninstaller
Configuring maximum performance in an enterprise environment
Define your goals
Ensuring complete coverage
Planning your Scan Engine Deployment
Setting up the application and getting started
Planning for Capacity Requirements
Bulk asset delete operations
Using a proxy server

Integrations

Amazon Web Services (AWS)
Amazon Web Services FAQs

Resources

Resources
RESTful API
Finding out what features your license supports
Application encryption types
Linking assets across sites
Using regular expressions
Using Exploit Exposure
Performing configuration assessment
Nexpose Physical Appliance
Virtual Appliance Guide
Patching Appliances for Meltdown/Spectre
Recurring vulnerability coverage

Release Notes

Nexpose release notes

Support

Investigate false positives
Contact the Rapid7 Support Team
Share an idea with Rapid7
Finding out what features your license supports

End-of-life Announcements

BeyondTrust (Previously Liberman) Privileged Identity End-of-Life announcement
Manage Engine Service Desk legacy integration End-of-Life announcement
Thycotic legacy integration End-of-Life announcement
Internet Explorer 11 browser support end-of-life announcement
Legacy data warehouse and report database export End-of-Life announcement
Amazon Web Services (AWS) legacy discovery connection End-of-Life announcement
NSX Manager End-of-Life announcement
Legacy CyberArk ruby gem End-of-Life announcement
ServiceNow ruby gem End-of-Life announcement
Legacy Imperva integration End-of-Life announcement
Cisco FireSight (previously Sourcefire) ruby gem integration End-of-Life announcement
Microsoft System Center Configuration Manager (SCCM) ruby gem integration End-of-Life announcement
TLS 1.0 and 1.1 support for Insight solutions End-of-Life announcement

Get Started

Welcome to Nexpose
Quick Start Guide
- System Requirements
- Download
Tour the Home Page
- Changes to the Security Console Administration page
Service start, stop, and status controls
Nexpose glossary of terms

Sites

What is a site?
Creating your first site
Site creation use cases
Create and edit sites
Giving users access to a site
Adding assets to sites
Best practices for adding assets
Deleting sites
Site Detail View

Scan Engines

Scan Engines
Distributed Scan Engines
Post-Installation Engine-to-Console Pairing
External Scanning Service
Scan Engine Pools
Containerized Scan Engine
AWS Scan Engines
Azure Scan Engines
Scan Engine Communication Methods
Scan Engine Data Collection - Rules and Details

Scan Assistant

Using the Scan Assistant

Scan Templates

Selecting a scan template
Scanning with multiple templates
Scan templates appendix
Authenticated Discovery Scans
Configuring Web spidering

Scan Credentials

Configuring scan credentials
Maximizing security with credentials
Configuring site-specific scan credentials
Managing shared scan credentials
Creating and Managing CyberArk Credentials
Kerberos Credentials for Authenticated Scans
Using SSH public key authentication
Elevating permissions
Database scanning credential requirements
Using LM/NTLM hash authentication
Authentication on Windows: best practices
Authentication on Unix and related targets: best practices
Using PowerShell with your scans

Alerts and Schedules

Setting up scan alerts
Schedule a scan
Schedule scan blackouts
Export your Calendar

Dynamic Discovery

Managing dynamic discovery of assets
Discovering mobile devices
Discovering Amazon Web Services instances
Discovering Microsoft Azure instances
Discovering Virtual Machines Managed by VMware vCenter or ESX/ESXi
Discovering Assets through DHCP Log Queries
Discovering Assets managed by McAfee ePolicy Orchestrator
Discovering vulnerability data collected by McAfee Data Exchange Layer (DXL)
Discovering Assets managed by Active Directory
Creating and managing Dynamic Discovery connections
Initiating Dynamic Discovery
Using filters to refine Dynamic Discovery
Monitoring Dynamic Discovery
Configuring a site using a Dynamic Discovery connection

Other Scanning Resources

Working with Project Sonar
Importing AppSpider scan data
Running a manual scan
Understanding different scan engine statuses and states
Viewing scan results and scan logs
Scan threads and port statuses
Stopping all in-progress scans
Automating security actions in changing environments
Enabling Remote Registry Activation
Working with Containers
Configuring scan authentication on target Web applications
- Creating a logon for Web site form authentication
- Creating a logon for Web site session authentication with HTTP headers
Measuring scan performance and time
Scanning a load balancer
Using the Metasploit Remote Check Service

Assess

Assess
Locating and working with assets
Fingerprint certainty
Applying RealContext with tags
Working with vulnerabilities
Vulnerability metrics explained
Vulnerability exceptions
Policy Manager
Policy rule overrides
Scanning for specific vulnerabilities

Act

Working with asset groups
Performing filtered asset searches
Creating a dynamic or static asset group from asset searches

Reports

Working with reports
Report templates and sections
Creating a basic report
Viewing, editing, and running reports
Working with risk trends in reports
For ASVs: Consolidating three report templates into one custom template
Distributing, sharing, and exporting reports
Configuring data warehousing settings
Configuring custom report templates
Understanding report content
Working with report formats
Report start times and durations
Upload externally created report templates signed by Rapid7

SQL Query Export

Creating reports based on SQL queries
Understanding the reporting data model: Overview and query design
Understanding the reporting data model: Facts
Understanding the reporting data model: Dimensions
Understanding the reporting data model: Functions
SQL Query Export examples

Tune

Tune
Working with scan templates and tuning scan performance
Configuring custom scan templates
Configuring asset discovery
Configuring service discovery
Selecting vulnerability checks
Selecting Policy Manager checks
Configuring verification of standard policies
Configuring scans of various types of servers
Configuring File Searches on Target Systems
Using other tuning options
Managing certificates for scanning
Creating a custom policy
Uploading custom SCAP policies
Risk Strategies
Adjusting risk with criticality
Sending custom fingerprints to paired Scan Engines
Scan property tuning options for specific use cases

Users and Authentication

Managing users and authentication
Setting password policies
Two factor authentication
LDAP authentication
Kerberos authentication
SAML 2.0 authentication
Remove an authentication source from Nexpose
How to reset a password

Manage

Managing the Security Console
Configure HTTPS Options
PostgreSQL 15.6 Database Migration Guide
Planning a deployment
Database Backup, Restore, and Data Retention
Managing versions, updates, and licenses
SCAP compliance
Live Licensing
Setting Up a Sonar Query
Enabling FIPS mode
Using the command console
Troubleshooting
Running the Windows uninstaller
Running the Linux uninstaller
Configuring maximum performance in an enterprise environment
Define your goals
Ensuring complete coverage
Planning your Scan Engine Deployment
Setting up the application and getting started
Planning for Capacity Requirements
Bulk asset delete operations
Using a proxy server

Integrations

Amazon Web Services (AWS)
Amazon Web Services FAQs

Resources

Resources
RESTful API
Finding out what features your license supports
Application encryption types
Linking assets across sites
Using regular expressions
Using Exploit Exposure
Performing configuration assessment
Nexpose Physical Appliance
Virtual Appliance Guide
Patching Appliances for Meltdown/Spectre
Recurring vulnerability coverage

Release Notes

Nexpose release notes

Support

Investigate false positives
Contact the Rapid7 Support Team
Share an idea with Rapid7
Finding out what features your license supports

End-of-life Announcements

BeyondTrust (Previously Liberman) Privileged Identity End-of-Life announcement
Manage Engine Service Desk legacy integration End-of-Life announcement
Thycotic legacy integration End-of-Life announcement
Internet Explorer 11 browser support end-of-life announcement
Legacy data warehouse and report database export End-of-Life announcement
Amazon Web Services (AWS) legacy discovery connection End-of-Life announcement
NSX Manager End-of-Life announcement
Legacy CyberArk ruby gem End-of-Life announcement
ServiceNow ruby gem End-of-Life announcement
Legacy Imperva integration End-of-Life announcement
Cisco FireSight (previously Sourcefire) ruby gem integration End-of-Life announcement
Microsoft System Center Configuration Manager (SCCM) ruby gem integration End-of-Life announcement
TLS 1.0 and 1.1 support for Insight solutions End-of-Life announcement

Giving users access to a site

When creating or editing a site, you can control which users have access to it. Allowing users to configure and run scans on only those assets for which they are responsible is a security best practice, and it ensures that different teams in your organization are able to manage targeted segments of your network.

For example, your organization has an administrative office in Chicago, a sales office in Hong Kong, and a research center in Berlin. Each of these locations has its own site with a dedicated IT or security team in charge of administering its assets. By giving one team access to the Berlin site and not to the other two sites, you allow that team to monitor and patch the research center assets without being able to see sensitive information in the administrative or sales offices.

When Global Administrator creates a user account, they can either grant the user access to all sites, or restrict access by adding the user to access lists for specific sites. For more information, read Configure general user account attributes.

Global Administrators and users with access to all sites do not appear in the Configure User Access list because they automatically have access to any site.

To configure user access to a site:

On the Home page, click the Edit icon for the site that you want to add users to.
Click the Details tab.
Under Configure User Access, select the users you want to add.
Click Save.

Did this page help you?