Get Started
5
Using an account with administrator privileges allows us to collect information based on
registry keys, administrative file shares (such as C$) and running services. For VM, it’s
possible to use an account with less than administrator rights, however this limits
scanning to fewer checks and scans will return less accurate, less complete results.
Windows uses an ACL-based approach. Each object (file, registry key) can have it’s own
ACL listing the accounts that have specific types of access (read, write, etc.) to that object.
We must have access to a few objects or authentication will fail, including “IPC%$” pipe,
the registry API and others. Missing access rights will simply cause the corresponding
vulnerability checks (QIDs) and compliance checks (controls) to fail. Most security checks
require access to multiple objects and the detailed list can vary depending on operating
system version, patch level, configuration settings, etc. The only way to know whether
access is sufficient is by running a scan and reviewing the reported access failures.
Windows Domain Controllers
Only Domain Administrator accounts can be used to scan Domain Controllers. We suggest
you create a domain account to be used for authentication and add the account to the
Domain Administrators Group. There are certain Group Policy settings that we
recommend as best practice for scanning Windows systems. See Windows Domain
Account Setup to learn more.
If you have any security concerns running scans on Domain Controllers with Domain
Administrator privileges, consider using Qualys Cloud Agent. To learn more about Cloud
Agent, see the Qualys Cloud Agent Getting Started Guide.
What Authentication Schemes are used?
Our service will attempt to use authentication schemes on the target host from the most
secure scheme to the least secure scheme. We support the following authentication
schemes, from highest to lowest:
1) Kerberos with AES-128/256
2) Kerberos with RC4-128
3) NTLMv2
4) NTLMv1 (disabled by default, and you can enable it within a Windows authentication
record)
Steps for authenticated scans
The steps below describe how to set up Windows trusted scanning for a Qualys scan. For
vulnerability scans, authentication to the target host is optional but recommended. For
compliance scans, authentication is required.
Step 1 – Set up a Windows user account to be used by our security service for
authentication.
Step 2 – Using Qualys: 1) Create Windows authentication records. 2) Select an option
profile. For a vulnerability scan be sure to select “Windows” in the Authentication section.
3) Launch a scan. 4) Verify that authentication passed for each target host. Tip - Run the
Authentication Report to view the authentication status (Passed or Failed).