Vulnerability Management Program (VMP) Credentialed Scanning

To ensure accurate and complete vulnerability detection, all CAES departments must setup Credentialed Scanning with the Information Security Office (ISO) and the CAES Dean's Office so that regularly scheduled scans, as well as Ad Hoc scans should a potentially vulnerability be discovered, are able to be detect, collect, and report on Vulnerabilities from within the SecurityCenter tool.

 

Important Details

  • The credentials are to be created and/or shared within the SecurityCenter tool specifically and not through any other method
  • The passphrase is hidden and encrypted within the SecurityCenter tool and the ISO and CAES Dean's Office does not have the ability to view the passphrase associated with the Service Account
  • The Service Account used for the credentialed scanning must have administrative rights over the endpoints at all times
  • The Service Account must be enabled at all times

 

CAES Dean's Office Ad Hoc Scanning

  • CAES Dean's Office will only trigger Ad Hoc scans when a critical vulnerability is being active exploited
  • CAES Dean's Office will only trigger Ad Hoc scans for vulnerabilities with an assigned Vulnerability Priority Rating (VPR) over 7.0
  • Ad Hoc scans will be announced on the #caes-sys-admins channel in the UC Davis Slack instance with a request to report any issues

 

Getting Started

Credentialed Scanning must be setup with both the ISO and the CAES Dean's Office.

  1. To setup Credentialed Scanning with the ISO, follow the steps outlined below:
    1. Locate/Create the OU/AD3 Service Account(s) that can be used for Credentialed Scanning
    2. Email cybersecurity@ucdavis.edu indicating you want to setup Credentialed Scanning for your scheduled scans'
    3. Work with the ISO to add the Credentials object to the regularly scheduled scans
      • Generally speaking, a good approach to this would be to join a Zoom meeting with ISO and have them grant you keyboard+mouse controls so you can enter the credentials into the Credentials object they create
         
  2. To setup Credentialed Scanning with the CAES Dean's Office, follow the steps outlined below:
    1. Locate/Create the OU/AD3 Service Account(s) that can be used for Credentialed Scanning
      1. This can be the same OU/AD3 Service Account(s) used for Credentialed Scanning with the ISO
    2. Follow the steps outlined in Create service account and add credentials in Tenable.sc
    3. Using the Share option under Cog menu for the Credentials object, share the credentials with the CAES Deans Office group
    4. Email vmphelp@caes.ucdavis.edu indicating the credentials have been shared

 

Troubleshooting

 

  • Credentialed Scanning on Windows
  • In order to use the ISO scanners to perform a credentialed scan of a Windows system, the following settings are required by Nessus:
        1) The Windows Management Instrumentation (WMI) service must be enabled on the target.
        2) The Remote Registry service must be enabled on the target or the credentials used by Nessus must have the permissions necessary to start the remote registry service and be configured appropriately.
        3) File & Printer Sharing must be enabled on the system to be scanned.
        4) An SMB account must be used that has local administrator rights on the target.
        5) Ports 139 (TCP) and 445 (TCP) must be open between the Nessus scanner and the computer to be scanned.
        6) The default administrative shares (i.e. IPC$, ADMIN$, C$) must be enabled (AutoShareServer = 1).

    Please see Tenable's documentation for more information on how to troubleshoot Credentialed Scanning on Windows devices at https://community.tenable.com/s/article/Troubleshooting-Credential-scanning-on-Windows.