Recently in Computerworld, a security manager reported on a frightening realization about the user account he was using in his unnamed vulnerability scanner.

The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities.

For more details, see spot.html

Making sure you use the correct credentials is an important way to check what someone could reach on your network. Nexpose leverages credentials to gain accurate version and configuration information. The vast majority of all vulnerabilities are only detectable with authenticated device access: this is true of all vulnerability scanning products and is a result of the secure design of devices on your network. Should you choose to scan your environment without properly configured credentials, bear in mind that you'll likely be missing the majority of vulnerabilities (false negatives) and the results obtained are more likely to be inaccurate (false positives).

In addition, Nexpose uses an expert system at the core of its scanning technology in order to chain multiple actions together to get the best results when scanning. For example, if it is able to use default configurations to get local access to an asset, then it will trigger additional actions using that access. The effect of the expert system is that you may see scan results beyond those directly expected from the credentials you provided; for example, if some scan targets cannot be accessed with the specified credentials, but can be accessed with a default password, you will also see the results of those checks. This behavior is similar to the approach of a hacker and enables Nexpose to find vulnerabilities that other scanners may not.

To help you avoid a similar situation to that anonymous security manager's and get the most from your Nexpose installation, here are some resources we offer:

  • The Nexpose Help and User's Guide provide information on what credentials are needed. This information is in the Configuring Scan Credentials section.

  • There is an option to test your credentials in the Scan Configuration in the Nexpose interface, in the Authentication tab. You can enter the address of a computer, and Nexpose will test whether it can successfully use those credentials to access that computer.

In addition, you can intentionally conduct a test for a situation such as the one described in the article. You can select an application you know should be able to be accessed on a particular machine with particular credentials, scan that machine with those credentials, and confirm that it indeed finds the expected results.

Another option is to run a report on vulnerabilities, such as the XML Export report. In the Scope section, select Vulnerability Filters. Under By Check Results, select Vulnerable and non-vulnerable. After running the scan and report, look for checks that look at software versions. If your credentials are configured correctly, these checks will appear with a "not vulnerable" result. If the credentials are not configured correctly, these checks will not appear in the report at all.

By making sure you are using a correctly configured username and password to scan for vulnerabilities, you increase your ability to find and fix things you didn't know about, and keep them from hurting you.