Configuring site-specific scan credentials
In this topic, you will learn how set up and test credentials for a site, how to restrict them to a specific asset or port, and how to edit and enable the use of previously created credentials.
When configuring scan credentials in a site, you have two options:
- Create a new set of credentials. Credentials created within a site are called site-specific credentials and cannot be used in other sites.
- Enable a set of previously created credentials to be used in the site. This is an option if site-specific credentials have been previously created in your site or if shared credentials have been previously created and then assigned to your site.
To learn about credential types, review Managing shared scan credentials.
Starting configuration for a new set of site-specific credentials
The first action in creating new site-specific scan credentials is naming and describing them. Think of a name and description that will help you recognize at a glance which assets the credentials will be used for. This will be helpful, especially if you have to manage many sets of credentials.
If you created the site through the integration with VMware NSX, you cannot edit scan credentials, which are unnecessary because the integration provides Nexpose with the depth of access to target assets that credentials would otherwise provide. See Integrating NSX network virtualizations with scans.
- Go to the site configuration that you want to add credentials to.
- To add credentials to a new site configuration, click Create Site on the Home page.
- To add credentials to an existing site, go to the Sites page and click the Edit icon next to the site.
- In the site configuration, click the Authentication tab.
- Click Add Credentials.
- In the Add Credentials form, enter a name and description for the new set of credentials.
- Continue with configuring the account, as described in the next section.
Configuring the account for authentication
If you do not know what authentication service to select or what credentials to use for that service, consult your network administrator.
Note: All credentials are protected with RSA encryption and triple DES encryption before they are stored in the database.
Click Account under the Add Credentials tab.
Select an authentication service or method from the drop-down list.
Enter all requested information in the appropriate text fields.
If you want to test the credentials or restrict them see the following two sections. Otherwise, click Create.
To view the newly created credentials, click Manage Authentication and view the Scan Credentials.
Testing the credentials
You can verify that a target asset in your site will authenticate the Scan Engine with the credentials you’ve entered. It is a quick method to ensure that the credentials are correct before you run the scan.
In the Add Credentials form, expand the Test Credentials section by clicking the arrow.
Expand the Test Credentials section.
Enter the name or IP address of the authenticating asset.
Note: If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.
To test authentication on a single port, enter a port number.
Click Test credentials.
Note: If you are testing Secure Shell (SSH) or Secure Shell (SSH) Public Key credentials and you have assigned elevated permissions, both credentials will be tested. Credentials for authentication on the target are tested first, and a message appears if the credentials failed. Permission elevation failures are reported in a separate message. See Using SSH public key authentication.
Note the result of the test. If it was not successful, review and change your entries as necessary, and test them again. The Security Console and scan logs contain information about authentication failure when testing or scanning with these credentials. See Working with log files.
If you want to restrict the credentials to a specific asset or port, see the following section. Otherwise, click Create.
Limiting the credentials to a single asset and port
If a particular set of credentials is only intended for a specific asset and/or port, you can restrict the use of the credentials accordingly. Doing so can prevent scans from running unnecessarily longer due to authentication attempts on assets that don’t recognize the credentials.
If you restrict credentials to a specific asset and/or port, they will not be used on other assets or ports.
Specifying a port allows you to limit your range of scanned ports in certain situations. For example, you may want to scan Web applications using HTTP credentials. To avoid scanning all Web services within a site, you can specify only those assets with a specific port.
- Click the Account under the Add Credentials tab.
- Enter only the host name or IP address of the asset that you want to restrict the credentials to.
Enter host name or IP address of the asset and the number of the port that you want to restrict the credentials to.
If you do not enter a port number, the Security Console will use the default port for the service. For example, the default port for CIFS is 445.
- When you have finished configuring the set of credentials, click Create.
To verify successful scan authentication on a specific asset, search the scan log for that asset. If the message “A set of [service_type] administrative credentials have been verified.” appears with the asset, authentication was successful.
Enabling a previously created set of credentials for use in a site
If a set of credentials is not enabled for a site, the scan will not attempt authentication on target assets with those credentials. Make sure to enable credentials if you want to use them.
- To enable credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
- Click the Authentication link in the Site configuration. The Scan Credentials table lists any site-specific credentials that were created for the site or any shared credentials that were assigned to the site. For more information, see Shared Credentials vs. Site Specific Credentials.
- Select the Enable check box for any set of credentials that you want to scan with.
- Click the Save button for the site configuration.
Editing a previously created set of site credentials
You cannot edit shared scan credentials in the Site Configuration panel. To edit shared credentials, go to the Administration page and select the Manage shared credentials for scans. See Editing shared credentials that were previously created. You must be a Global Administrator or have the Manage Site permission to edit shared scan credentials.
The ability to edit credentials can be very useful, especially if passwords change frequently. You can only edit site-specific credentials in a Site Configuration panel.
- To enable credentials for an existing site, click that site's Edit icon in the Sites table on the Home page.
- Click the Authentication tab in the Site configuration.
- Click the hyperlink name of any set of credentials that you want to edit.
- Change the configuration as desired. See the following topics for more information:
- When you have finished editing the credentials, click Save.
Verifying scan credential authentication
- Upon completion of a scan, on the Scan Overview page, view the Completed Assets table.
- Locate the asset you have added credentials to.
- Look at the Authentication column for the located asset.
- For more information on Understanding Credential Authentication Status, see the next section.
- For more details, click on the status. The Security Console will bring you to the Node Page.
- In the asset details, locate Credentials and click on the detail listed.
- The Security Console will bring you to the Services table.
- Under the Authentication column, the security console will display which credential was a success or failure.
Enabling scan diagnostics
The scan engine attempts to collect all of the data necessary for a vulnerability or policy assessment, including scan credentials. Even when you submit the proper credentials, vulnerability or policy scans may incorrectly display a partial or total credential failure. Enable Scan Diagnostics to help you better understand what doesn't go as expected and why during credentialed scans. When enabled, Scan Diagnostic checks report a ‘vulnerable’ result against assets when the Scan Engine is supplied with credentials but unable to gather local information.
To access the Vulnerability Checks tab in your scan template and enable Scan Diagnostics:
- In your Security Console, click the Administration tab.
- In the Scans > Scan Templates section, click Manage.
- Click the name link of your existing custom scan template to open it. If you don't have a custom scan template yet, click the copy icon next to the built-in scan template of your choice to create one.
- Scroll down to the Check Configuration section of your scan template. This allows you to adjust vulnerability check options.
- Select and enable Scan Diagnostics.
- Save the Scan Template.
Manually configure credentials to gather network and asset information that can not otherwise be accessed. When you scan a site using credentials, target assets in that site authenticate the Scan Engine as they would an authorized user. This allows you to inspect assets for a wider range of vulnerabilities and security policy violations.
Understanding credential authentication status
In the Authentication column, the security console will display one of the following notes to determine the status of your credential authentication:
- Unknown: Credentials did not return a status or you were running a discovery scan.
- Partial Credential Success: Many different types of credentials were used, with one or more service being correct and one or more being incorrect.
- Credential Success: Correct credentials were provided for range of assets.
- Credential Failure: Incorrect credentials were provided for range of assets.
- No Credentials Used: No credentials provided for range of assets.
Using scan diagnostics to find the cause of authentication failure
Scan Diagnostics can give greater visibility to the possible cause of credential authentication failure. Scan Diagnostic checks report vulnerable results for relevant assets when the Scan Engine is supplied with credentials but unable to gather local information.
Credential Success signifies that the engine was able to authenticate to the device. However, even with working credentials, there are circumstances where aspects of data collection could fail.
Credential Failure or Partial Credential Success can potentially signify that there has been an issue with authentication. Scan Diagnostics can present greater insight into this situation.
Omit scan diagnostic vulnerabilities from reports
Vulnerabilities reported by Scan Diagnostics carry the lowest possible severity and do not impact your risk score. However, they may increase overall vulnerability counts. If you choose to scan with these vulnerabilities you can adjust the scope of generated reports to exclude them from results. This will prevent these inconsequential vulnerabilities from being passed through to remediation teams.