Credentialed Infrastructure Scanning

AppCheck is able to perform credentialed infrastructure scanning to check for vulnerabilities that cannot be determined from scanning a host externally, eg missing patches.

Supported login methods

• SSH (*nix)
• SMB/WMI (Windows)

The effectiveness of the tests is dependent upon the user permissions of the account being used.

SSH

Go to: Infrastructure Scanner Settings > Vulnerability Scanner > Options > Credentialed Scanning

Enter the username and password of the user for the target system and the port number
of the SSH server (if different from the default).

For maximum effectiveness, the SSH user must have the ability to run any command on the system (IE Root Privileges). While it is possible to run a variety of checks (such as currently installed patches) with non-privileged access, full compliance checks that audit system configuration and file permissions require root access.

Windows Login

Requirements

Stand Alone Windows Machine

For a comprehensive scan the following is recommended:

• File and Printer sharing enabled
• WMI enabled
• Remote Registry service running
• UAC (User Account Control) disabled
• Create a Windows administrator user for AppCheck to use

Scanning with a Windows Domain Account

A Domain Administrator account is required for scanning Domain Controllers. You may
want to create a specific Domain Administrator for AppCheck scans.

Configuration steps:

• Create a Security Group for AppCheck
  - On the Domain Controller go to Tools > Active Directory Users and Computers
  - Select Action > New > Group and use the following values:
    + Group name = AppCheck
    + Group scope = Global
    + Group type = Security
  - Add a user to the AppCheck Secuirty Group
    + Right click the Domain Administrator we want to add and click 'Add to a group'
    + Enter 'AppCheck' into 'Enter the object name to select' then click 'OK'
• Create an AppCheck Group Policy
  - Go to Tools > Group Policy Management
  - Under your domain right click 'Group Policy Objects' and select 'New'
    + Name the GPO 'AppCheck Scan'
• Add the AppCheck Security Group to the AppCheck Group Policy
  - Right click the 'AppCheck Scan' GPO and select 'Edit'
  - Go to Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  - Right click Restricted Groups and select Add Group
  - In Add Group select browse and enter 'AppCheck'
  - Click 'Check Names'
  - Click 'OK' twice
  - Under 'This group is a member of' click 'Add'
  - Add the Administrators Group
  - Click OK twice
• Enable Windows Management Instrumentation (WMI)
  - Go to Tools > Group Policy Management
  - Right click the 'AppCheck Scan' Group Policy and select 'Edit'
  - Go to Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules
  - Right click in the right-hand panel and select 'New Rule'
  - Select 'Predefined' and choose 'Windows Management Instrumentation (WMI)' from the drop-down menu
  - Click 'Next'
  - Ensure the following check-boxes are checked:
    + Windows Management Instrumentation (ASync-In)
    + Windows Management Instrumentation (WMI-In)
    + Windows Management Instrumentation (DCOM-In)
  - Click 'Next'
  - Click 'Finish'
• Link the Group Policy Object
  - Go to Tools > Group Policy Management
  - Right click your domain and select 'Link an Existing GPO'
  - Select the 'AppCheck Scan' Group Policy

Configure Windows hosts

• Go to Windows Firewall > Windows Firewall Settings and enable 'File and Printer Sharing'
• Run the gpedit.msc command to start the Group Policy Object Editor.
    - Go to Local Computer Policy > Administrative Templates > Network > Network   Connections > Windows Firewall > Standard Profile > Windows Firewall
  - Enable 'Allow inbound file and printer exception'
• Run the gpedit.msc command to start the Group Policy Object Editor.
  - Go to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain
  - Check this is set to Disabled or Not Configured.
• Check the Remote Registry service is running

Add Windows user to AppCheck credentialed scanning

Go to: Infrastructure Scanner Settings > Vulnerability Scanner > Options > Credentialed Scanning

Enter the username and password of the user for the target system.

N.B. Use domain\username if authenticating with an Active Directory account