Hi Ray, There are many ways you can perform credential management to make use of Nessus to perform audits. The most important factor you need to consider is to be able to work with your IT staff and within their policies.
Technically, you can perform UNIX and Windows audits with non-admin accounts, however, at Tenable, we recommend that you audit with admin/root credentials. This minimizes the chances that you are auditing some portion of the OS or file system which needs admin credentials. I speak to many different organizations who audit with passwords of some sort and the largest issue seems to be synchronizing audits with official password changes. This could occur when IT changes the password(s) without letting the audit group know in advance. I too am interested in how different organizations make use of credentials to leverage configuration and patch audits. Ron Gula Tenable Network Security Ray Van Dolson wrote: > Hi all. Up until now, we've mostly been using Nessus to probe exploits > on a system without using credentialed checks. I'm wanting to change > that to be able to more effectively enforce certain policies before > allowing machines to be placed on certain parts of our networks. > > I'm trying to determine the best way to do this and am interested in > hear from some of you as to what you've found are "best practicies". > > The goal is to not only complete an initial scan, but to regularly scan > these hosts once they are deployed. This means leaving the accounts > that Nessus used on the systems. I want to do this securely as > possible. > > It looks like on the Unix/SSH side I could set up a generic account on > each system and allow authentication with SSH keys. > > On the Windows side I'm not quite as sure. > > * Do I need an account with Administrator level access? Or will a > Power User do? Recommendations? We want to be able to check for > missing updates, and eventually do Policy Compliance > * It looks as if I can provide an SMB username and password with > various hashes. Perhaps Kerberos as well? > > How do you handle your credentialed accounts on deployed systems? > Obviously the risk with a passworded account is that this password gets > out. > > Anyways, looking forward to any feedback / advice. Will be perusing > the archives as well. > > Ray > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
