The saying “You don’t know what you can’t see” is essential; ask yourself, “How can you protect systems if you do not have a firm grasp of what your network looks like|? Having a vulnerability tool is an excellent first step, but it will only get you so far if it is not configured correctly. Every environment is different, but this core concept applies to any organization.
In this guide, we will demonstrate through pictures how incorrect configurations yield vastly different results.
What is a Non-Authenticated (No Credential) Scan?
A non-authenticated scan will try to scan the machine based on what it can see from accessible information. The scanner will also analyze network-based characteristics and website banner information to find vulnerabilities.
What is an Authenticated (Credential) Scan?
Opposite the above, an authenticated scan allows the scanner to perform a deeper and more accurate inventory of the target machine. It simply logs into the device like a user would and automatically performs an in-depth inventory collection of the machine.
Test Target
- OS: Server 2019 – 17763.737
- Role: IIS Web Server
- Date of Scan: 1/22/2022
- Software Used: Tenable Nessus
- Tenable Plugin Set: 202201221810
First Scan: Non-Authenticated (no credentials)
The results of this scan shows it only found one medium finding. This seems really good, but is this the whole picture? Are we missing anything? Are we being misled? Let’s see what happens when we run a credentialed scan. Will we get the same results?
Second Scan: Authenticated (using credentials)
The results of this scan show a completely different picture. As illustrated, we see a lot more vulnerabilities. A whopping 62 vulnerabilities have been found, breaking down to 22 Critical, 34 High, 6 Medium findings. Further down on the Vulnerability Priority Report (VPR) it shows currently known exploits and attacks based on these important discoveries.
When should authenticated scans be performed?
These scans should run on all internal endpoints. They can also run against DMZ-based assets provided there is a second internal network leg with line-of-sight to the scanner. Authenticated scans should not occur against publicly accessible internet-facing systems, as you are subject to more risks and man-in-the-middle-based attacks. Stealing of the scanning credential could be used against your infrastructure.
Where should non-authenticated scans be performed?
These scans should run against public internet-facing endpoints. This ensures that credentials will not be at risk of compromise. However, to get the most accurate scan, an agent-based vulnerability software that runs directly on the box should be used instead. An agent-based scanner will see about 99% of the vulnerabilities; it is not 100% because hardware baseboard management services (Intel AMT) might be invisible to the OS or loopback network interfaces.