AppCheck is able to perform credentialed infrastructure scanning to check for vulnerabilities that cannot be determined from scanning a host externally, eg missing patches.

AppCheck Supports authentication via:

• SSH (*nix)
• SMB/WMI (Windows)

The effectiveness of the scan is dependent upon the user permissions of the account being used.  For maximum effectiveness, the user should have the ability to run any command on the system (root privileges on *nix systems, Administrator privileges on Windows Systems). While it is possible to run a variety of checks (such as currently installed patches) with non-privileged access, full compliance checks that audit system configuration and file permissions require root access.

• SSH
  • Using Credentials
  • Using a Private Key
• Windows Login
  • Requirements
    • Local Credentials
    • Windows Domain Account
  • Configure Windows hosts
  • Add Windows user to AppCheck credentialed scanning

SSH

Using Credentials

1. Go to:
   Infrastructure Scanner Settings
   -> Vulnerability Scanner
   -> Options
   -> Credentialed Scanning
   -> SSH
2. Enter the username and password of the user for the target system and the port number of the SSH server

Using a Private Key

1. Generate a private-public ssh-rsa key pair
2. Deploy the public key to the target hosts.
3. Go to:
   Infrastructure Scanner Settings
   -> Vulnerability Scanner
   -> Options
   -> Credentialed Scanning
   -> SSH
4. Enter the username
5. Enter the private key, including the BEGIN and END lines.

Windows Login

Requirements

Local Credentials

For a comprehensive scan the following is recommended:

• File and Printer sharing enabled
• WMI enabled
• Remote Registry service running
• UAC (User Account Control) disabled
• Create a Windows administrator user for AppCheck to use

Windows Domain Account

A Domain Administrator account is required for scanning Domain Controllers. You may
want to create a specific Domain Administrator for AppCheck scans.

Configuration steps:

• Create a Security Group for AppCheck
  - On the Domain Controller go to Tools > Active Directory Users and Computers
  - Select Action > New > Group and use the following values:
    + Group name = AppCheck
    + Group scope = Global
    + Group type = Security
  - Add a user to the AppCheck Secuirty Group
    + Right click the Domain Administrator we want to add and click 'Add to a group'
    + Enter 'AppCheck' into 'Enter the object name to select' then click 'OK'
• Create an AppCheck Group Policy
  - Go to Tools > Group Policy Management
  - Under your domain right click 'Group Policy Objects' and select 'New'
    + Name the GPO 'AppCheck Scan'
• Add the AppCheck Security Group to the AppCheck Group Policy
  - Right click the 'AppCheck Scan' GPO and select 'Edit'
  - Go to Computer configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  - Right click Restricted Groups and select Add Group
  - In Add Group select browse and enter 'AppCheck'
  - Click 'Check Names'
  - Click 'OK' twice
  - Under 'This group is a member of' click 'Add'
  - Add the Administrators Group
  - Click OK twice
• Enable Windows Management Instrumentation (WMI)
  - Go to Tools > Group Policy Management
  - Right click the 'AppCheck Scan' Group Policy and select 'Edit'
  - Go to Computer configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules
  - Right click in the right-hand panel and select 'New Rule'
  - Select 'Predefined' and choose 'Windows Management Instrumentation (WMI)' from the drop-down menu
  - Click 'Next'
  - Ensure the following check-boxes are checked:
    + Windows Management Instrumentation (ASync-In)
    + Windows Management Instrumentation (WMI-In)
    + Windows Management Instrumentation (DCOM-In)
  - Click 'Next'
  - Click 'Finish'
• Link the Group Policy Object
  - Go to Tools > Group Policy Management
  - Right click your domain and select 'Link an Existing GPO'
  - Select the 'AppCheck Scan' Group Policy

Configure Windows hosts

• Go to Windows Firewall > Windows Firewall Settings and enable 'File and Printer Sharing'
• Run the gpedit.msc command to start the Group Policy Object Editor.
    - Go to Local Computer Policy > Administrative Templates > Network > Network   Connections > Windows Firewall > Standard Profile > Windows Firewall
  - Enable 'Allow inbound file and printer exception'
• Run the gpedit.msc command to start the Group Policy Object Editor.
  - Go to Local Computer Policy > Administrative Templates > Network > Network Connections > Prohibit use of Internet connection firewall on your DNS domain
  - Check this is set to Disabled or Not Configured.
• Check the Remote Registry service is running

Add Windows user to AppCheck credentialed scanning

Go to:

Infrastructure Scanner Settings

-> Vulnerability Scanner

-> Options

-> Credentialed Scanning

Enter the username and password of the user for the target system.

Use the format domain\username if authenticating with an Active Directory account

Ports for OpenSSH or SMB need to be in Open state on the target host(s). When authentication is successful, the scan would produce an output such as "SSH Login Successful" or "SMB Login Successful" under Info fundings.