How to identify credentials worked on Windows hosts

book

Article ID: 184155

calendar_today

Updated On:

Products

Control Compliance Suite Vulnerability Manager

Resolution

In the Scan Logs, Search for

Failure => "Logging administrative credential status SUPPLIED_FAILED for service CIFS."

Success => "Logging administrative credential status SUPPLIED_SUCCESS_IS_LOCAL_ADMIN for service CIFS."

For Security purpose, we do not mention what accounts are used during scanning.

+++++++++++++++++++++++++++++++++++

To get a 1.0 certainty: 

1) Make sure the scanning account works and can log in to the system. 
2) Make sure the Nexpose scanner can reach the system on ports 139 and 445. If there is any firewall between the scanner and the target assets, we recommend completely whitelisting the scanner in the firewall. 
3) Make sure the scanning account is a member of the Domain Administrators group on scan targets. Please keep in mind not all Domain Admins are Local Admins – you should verify the membership in the Local admins group, otherwise even domain admins get treated as a regular User. Also remember that domain settings and group memberships can be different depending on the OU (the part of the Active Directory this particular organization sits). 
4) The credentials being used need remote registry access on the assets being scanned. (This also means remote registry may need to be enabled on target assets if you aren't using a domain admin account). 
5) If using domain accounts with UAC, it may also be required to add a DWORD registry key value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy and set the value to 1.
Make sure it’s a DWORD and not a string.

E.g)

=======

2016-03-29T11:10:34 [INFO] [Thread: [email protected]] [Site: HPW-DMZ-Internal-IP Ranges-001] [192.168.XX.XX] SystemFingerprint [[architecture=x86_64][certainty=1.0][description=Microsoft Windows Server 2012 R2][deviceClass=Server][family=Windows][product=Windows Server 2012 R2][vendor=Microsoft][version=]] source: Merged services

========

 

Also, when we test the credentials via the credentials page, it attempts to connect to the asset from the currently assigned engine and if the engine is not online you may see an error like 'The console cannot contact the scan engine. Verify that the scan engine is online.' when testing the credential.