Are you scanning your network hosts for security vulnerabilities while logged in as a user? If not, you should be. Authenticated testing can add a lot of value to your overall security assessment results. You’ll find a lot more missing patches, weak share permissions, and general misconfigurations. Authenticated scans provide the true picture of where things really stand.
The reality is that criminal hackers and malware often have authenticated access into network hosts so why shouldn’t you be testing in the same context? If someone else is able to peruse your systems and exploit flaws as a logged-on user then you need to be doing the same.
Although authenticated scans will paint the most reliable picture of your network host security, before you start testing with authentication, there are a few things you need to know. Here’s what I’ve learned over the years:
- Authenticated scans will give you give you a ton of information – sometimes too much. This can be a problem, especially if others reading your report(s) are not very technical. A lot of “Level 5” or “Critical” flaws can make internal auditors, management, and others outside of IT really nervous if they don’t fully understand what they’re looking at. You have to be prepared to set their expectations that it’s (likely) not as bad as things appear on the surface.
- Authenticated scans can create trouble on the local hosts you’re testing. It’s rare, however, general vulnerability scans can lock user accounts, fill up log files, and leave other remnants on the system. These scans are not as invasive as web vulnerability scans but this is something you need to be prepared for.
- You’re going to need more time – a lot more time – to run authenticated scans. I’ve found that vulnerability scans with authentication typically take two to three times longer. If you have several hundred, or even thousands of, network hosts, this can lengthen your testing time significantly. You’ll also need more time for analyzing your scanner results and reporting – especially if you’re writing a separate formal report.
- Scanning using multiple user role levels is ideal (i.e. using standard domain user with limited privileges and a local or domain administrator). At a minimum, I recommend scanning at the highest privilege level possible. Scanning as an administrator or equivalent will give you the most visibility into your security vulnerabilities.
- All things considered, you really don’t have to run authenticated scans every time. It’s also good to know how things look from an outsider’s perspective (i.e. without authentication). I’ve found that running these scans every other time – or at least once per year – works well.
The most important thing of all is actually running authenticated scans. For whatever reason, many people skip them, but this is something that you cannot afford to do.