Configuring site-specific scan credentials
Copy link

Scanning with credentials allows you to gather information about the assets in your site that you could not otherwise access. To configure credentials for your site, you may need to test the credentials, restrict them to a specific asset or port, or enable and modify existing credentials.

You can configure the scan credentials for your site in one of two ways:

  • Create new credentials - If you create credentials within a site, these are called site-specific credentials and cannot be used in other sites.
  • Use existing credentials - You can reuse site-specific credentials that were previously created in your site or shared credentials that were created and assigned to your site.

To compare site-specific credentials and shared credentials, see Shared Credentials vs. Site-Specific Credentials.

Overview
Copy link

This article covers the following steps:

  1. Create site-specific credentials
  2. Restrict credentials
  3. Test site-specific credentials
  4. Assign site-specific credentials
  5. Verify scan credential authentication
  6. Enable scan diagnostics
  7. Manage existing site-specific credentials

Create site-specific credentials
Copy link

ℹ️

Using VMware NSX integration?

If you created a site through VMware NSX integration, editing scan credentials is not necessary or supported. See Integrating NSX network virtualizations with scans.

  1. Choose whether to create a new site or edit an existing one:
    • To add credentials to a new site configuration, click Create Site on the Home page.
    • To add credentials to an existing site, go to the Sites page and click the Edit icon next to the site.
  2. Click the Authentication tab then click Create Scan Credentials.
  3. Enter a name and description.
  4. Select a service for authentication from the dropdown.
  5. Provide the required authentication details.
    • If you do not know what authentication service to select or what credentials to use for that service, consult your network administrator.
  6. Optionally, restrict the credentials.
  7. Optionally, test the credentials.
  8. Click Create.

Enable an existing credential in a site
Copy link

If a set of credentials is not enabled for a site, the scan will not attempt authentication on target assets with those credentials. Make sure to enable credentials if you want to use them.

To enable credentials for an existing site:

  1. From the Home page, find the site in the Sites table and click the Edit icon.
  2. From the site configuration page, go to the Authentication tab. The Scan Credentials table lists all credentials for this site and can be filtered by those that are site-specific or shared across multiple sites. For more information, see Shared Credentials vs. Site Specific Credentials.
  3. Toggle any set of credentials you want to scan with in the Enabled column.
  4. Click Save.

Restrict credentials
Copy link

If a particular set of credentials is only intended for a specific asset and/or port, you can restrict the use of the credentials accordingly. This prevents scans from running unnecessarily longer due to authentication attempts on assets that don’t recognize the credentials. You can add multiple restrictions at once to a credential.

If you restrict credentials to a specific asset or port, they will not be used on other assets or ports.

Specifying a port allows you to limit your range of scanned ports in certain situations. For example, you may want to scan Web applications using HTTP credentials. To avoid scanning all Web services within a site, you can specify only those assets with a specific port.

To restrict site credentials:

  1. Go to Manage Site.
  2. From the site configuration page, go to the Authentication tab.
  3. Select an existing credential or create a new one.
  4. Expand the Restrictions section.
  5. Enter restrictions in the following formats:
    • Single IP address: for example 192.168.1.5
    • IP range: for example 10.1.1.1 - 10.1.1.50
    • CIDR: for example 172.16.0.0/16
    • Hostname: for example host.example.com
    • IPv6: for example 2001:db8::1, or 2001:db8::1 - 2001:db8::ff
  6. Optionally, enter a port number. If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.
  7. For new credentials, click Create. For existing credentials, click Save.
⚠️

CIDR ranges are not supported on the API

CIDR ranges are accepted in the UI and are transformed to an IP range, however they are not supported in the API. For API configuration, use dash-based ranges instead. For example, 10.0.0.1 - 10.0.0.254.

To verify successful scan authentication on a specific asset, search the scan log for that asset. If the message “A set of [service_type] administrative credentials have been verified.” appears with the asset, authentication was successful.

Test site-specific credentials
Copy link

You can verify that a target asset in your site will authenticate the Scan Engine with the credentials you’ve entered. It is a quick method to ensure that the credentials are correct before you run the scan.

  1. Go to Create Scan Credential and expand the Test Credentials section.
  2. Enter the name or IP address of the authenticating asset.
  3. To test authentication on a single port, enter a port number. If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.
  4. Click Test credentials.
  5. Note the result of the test. If it was not successful, review and change your entries as necessary, and test them again. The Security Console and scan logs contain information about authentication failure when testing or scanning with these credentials. See Working with log files.

Verify scan credential authentication
Copy link

  1. Upon completion of a scan, go to Administration > Scans > History and select a Scan Name from the Past Scans table.
  2. View the Completed Assets table and locate the asset you have added credential to.
  3. Review the Authentication column for the located asset.
  4. Review the Understanding credential authentication status section of this article for more information on what each status means.
  5. Click a status for more details.
    1. The Security Console will bring you to the Node page.
    2. In the asset details, locate Credentials and click on the details listed. The Security Console will bring you to the Services table.
    3. Under the Authentication column, the Security Console will display which credential was a success or failure.

Understand credential authentication status
Copy link

In the Authentication column, the security console will display one of the following notes to determine the status of your credential authentication:

  • Unknown: Credentials did not return a status or you were running a discovery scan.
  • Partial Credential Success: Many different types of credentials were used, with one or more service being correct and one or more being incorrect.
  • Credential Success: Correct credentials were provided for range of assets.
  • Credential Failure: Incorrect credentials were provided for range of assets.
  • No Credentials Used: No credentials provided for range of assets.
  • No Credentials Supplied: A restriction prevented a credential from being used.

Enable scan diagnostics
Copy link

The scan engine attempts to collect all of the data necessary for a vulnerability or policy assessment, including scan credentials. Scan diagnostics help you better understand why credentials can fail. When enabled, Scan Diagnostic checks report a “vulnerable” result against assets when the Scan Engine is supplied with credentials, but unable to gather local information.

  • Credential Success signifies that the engine was able to authenticate to the device. However, even with working credentials, there are circumstances where aspects of data collection could fail.
  • Credential Failure or Partial Credential Success can potentially signify that there has been an issue with authentication. Scan Diagnostics can present greater insight into this situation.
⚠️

Omit scan diagnostic vulnerabilities from reports

Vulnerabilities reported by Scan Diagnostics carry the lowest possible severity and do not impact your risk score. However, they may increase overall vulnerability counts. If you choose to scan with these vulnerabilities you can adjust the scope of generated reports to exclude them from results. This will prevent these inconsequential vulnerabilities from being passed through to remediation teams.

Scan Diagnostics are disabled by default. To enable Scan Diagnostics, configure Check Categories  by adjusting your Scan Templates .

To access the Vulnerability Checks tab in your scan template and enable Scan Diagnostics:

  1. In your Security Console, go to Administration > Scans > Templates.
  2. Click the name link of your existing custom scan template to open it. If you don’t have a custom scan template yet, click the copy icon next to the built-in scan template of your choice to create one.
  3. Open the Vulnerability Checks tab and view the Check Configuration section. This allows you to adjust vulnerability check options.
  4. Select Enable Scanning Diagnostic checks.
  5. Save the Scan Template.
ℹ️

Manual configuration

To inspect assets more thoroughly with Vulnerability Management (InsightVM), configure scan credentials manually .

Manage existing site-specific scan credentials
Copy link

You can view site-specific credentials by selecting the site you wish to review and clicking Authentication and filtering by Site.

To edit existing shared credentials:

  1. From the Home page, view the Sites table and click the Edit icon on the site you wish to update.
  2. Click the Authentication tab.
  3. Click the credential name.
  4. Update the configuration as desired.
  5. Click Save.