What does the Qualys account need to be set too, to scan a domain controller for policy compliance? Having a hard time finding that documentation.
What does the Qualys account need to be set too, to scan a domain controller for policy compliance? Having a hard time finding that documentation.
IMHO the best option would be to have domain admin privs. Anything less than admin privs means that some areas are not available to the scan (although this may be arguable - for compliance there are only a few things which can't be picked up with non-admin accounts - Qualys has one a lot of work here). Domain only because of ease of maintenance - change it once per-domain and you only need to change the Qualys authentication record once too.
Are you doing Vulnerability Management too ? How is authentication working there ? That would use the same accounts as PC scans.
Yes we are doing a vuln scan at the same time. The auth on the vuln scan shows "PASS" so thats why I am confused.
Sam,
Have a look at QID 70053 for the host. Does it use the authentication record you expect or is it a SMB Null session ?
Yes.
Security User-based
SMBv1 Signing Enabled
Which user account does it mention ?
Does it mention SMB Null Session or the real one reflected in your authentication record ?
QID 70028 concurs.
Both mention the Qualys account we are using for the Domain the Domain Server is part of and the Auth record that works for every other server on that domain.
Security User-based
SMBv1 Signing Enabled
Discovery Method Login credentials provided by user
CIFS Signing default
CIFS Version SMB v3.0.2
OK that's good.
There are some useful tests here -> Compliance Scan WinServer 2012 R2 - Insufficient privilege issue
Especially the standard run-as test that Qualys support will ask you to do.
Also for this the account has Domain Admin Privileges .
I believe we created a special Domain Administrator group except the group does not make change; i.e. can't make changes to the domain but has the READ access to the entire Domain. I am in the process of confirming this and will post once I have it if I remember too.
That should be enough. No need to change things - just access registry keys.
Any update on this?
We really don't want to remove the machine from the Domain Controller OU to PC scan.
Still seeing this on the PC Scan
Yet seeing this on VM scan
We see that the document date is 2018 but if talks about Windows NT domains and Windows 2000 servers. Is it possible to get something that addresses Active Directory domains at domain level 2012R2?
A VM report shows we have these QIDs list from the list in that link (not sure which ones we should be concerned with):
90195 Windows Registry Key Access Denied
70028 Windows Authentication Method
70053 Windows Authentication Method for User-Provided Credentials
90331 Access to File Share is Enabled
90399 Windows File Access Denied
105025 Windows Registry Access Level
So the fix for me to get the scans and auth to show 'Passed' was to 'Enable' the 'Scan Restriction' of the 'Option Profile'
So go to Policy Compliance -> Scans-> Option Profiles
Then Edit the Option Profile you are using and Check 'Scan by Policy" then select the Policy you have created.
Hopes this helps someone with the same issue.
Sam,
Scan by policy has the effect of reducing the number of controls checked for. It may be a side-effect that it fixes the auth problem but that wouldn't be expected behaviour. Perhaps someone from Qualys can chime in after looking at the issue more deeply on the Qualys side.
They would probably be interested in which controls were in your policy but don't post them here.
Hi Sam,
The best way to see what control(s) is causing this message it would be best to work with support to get a debug log which will point to this area. Since restricting the scan by policy eliminates the "Insufficient Privilege" message, that indicates that none of the controls in the policy are impacted as Damian mentioned.
Thanks,
Hariom.
We are getting this error :