Windows authentication is an optional feature of QualysGuard that provides the scanning engine with the ability to log into each host at the time of the scan and obtain information related to system variables and registry keys. With this information, the scanner has the ability to detect vulnerabilities that would otherwise be undetected. Trusted scanning allows QualysGuard users to non-intrusively confirm whether several Windows-related threats actually exist on the host.

By using the Windows authentication feature, administrators enable QualysGuard to:

• Perform more accurate OS detection, such as distinguishing between Windows XP, Windows 2000, and Windows 2003.
  
  
• Detect installed service packs, hot fixes, and security upgrades on each host, confirming whether possible threats have been properly patched.
  
  
• Test for additional vulnerabilities and gather information related to system variables and registry keys.
  

To use the authentication feature, it is recommended that you create a dedicated Windows user account (such as a "scanner" user account) to be used solely by the network security service for authentication. This user account must have full read access to all registry keys. If possible, configure the user account so that the password does not expire.

Host level and domain level authentication options are provided. Account requirements for each option are described below.

• Local Host Level. To successfully authenticate at the host level, the account must be added to each host that the scanner will authenticate locally.
  
  
• Domain Level. To successfully authenticate at the domain level, the account must be added to the Domain Controller and be assigned certain permissions. Specifically, the domain account needs privileges that allow read access to remote registries and minimal domain access otherwise. The default administrator account privileges cannot be used. See Domain Account Requirements for complete details.
  

It's possible to configure the scanner to use multiple user accounts for authentication, however only one account may be used to authenticate to each host. These configurations are made in authentication records, as described below.

An authentication record assigns a user account to one or more IP addresses. Multiple authentication records may be added, and multiple user accounts may be used for authentication. However, a single IP address can be defined in only one record (preventing one IP address from being authenticated by multiple accounts).

To add an authentication record, follow these steps:

	1)		Select Preferences from the main menu.
	2)		On the Options tab, under Authentication, click New Record.
	3)		Enter record information: Windows Authentication. Select authentication at the domain or local host level. For domain level authentication, supply a Windows domain name. Windows User Name. Windows user account login ID. Windows Password. Windows user account password. IPs. Target hosts to be authenticated by the Windows user account. One IP address can be defined in one record only (multiple user accounts cannot be used to authenticate to one target IP).
	4)		Click Save.

Figure 1: Windows Authentication Record
(Click to enlarge)

Authentication records must be kept up to date. If the password changes for a user account in an authentication record, the authentication record must be updated. Also, when new IPs are added to the account, authentication is not enabled by default for these hosts. Newly-added IPs must be added to existing or new authentication records, as appropriate, if authentication is desired.

Windows authentication is performed only when the Enable Windows authentication option is selected in the options profile. When this option is selected, all existing authentication records are applied to the scan.

You may choose to create a new options profile or edit an existing one. See Creating Options Profiles or Editing Options Profiles for more information.



Figure 2: Windows Authentication Option
(Click to enlarge)