Azure Scan Checklist
We recommend these steps before scanning.
- Check Appliance Status
- Configure OS Authentication
- Configure security groups for the Azure virtual machines to be scanned
Check Appliance Status
Go to VM/VMDR > Scans >Appliances.
Be sure the new Scanner Appliance is connected to the Qualys Enterprise TruRisk™ Platform. The icon means your appliance is connected and ready for scanning.
Configure OS Authentication
Using host OS authentication (trusted scanning) allows our service to log in to each target system during scanning. Running authenticated scans gives you the most accurate results with fewer false positives.
- Go to Scans > Option Profiles.
- Edit the profile Initial Options.
- Use Save As to save a copy with another name. In your new profile, enable the authentication types that you need.
- Go to Scans > Authentication.
- Add authentication records for the Azure virtual machines you are scanning - Unix and/or Windows.
- In the record, you need to add credentials for the account to be used for authentication - this is an account for the OS user (not the AIM user).
We recommend you create a dedicated account for authentication on target systems.
Sample Unix Record
- Login Credentials - Provide OS user name and select Skip Password.
- Private Keys - Key authentication is recommended. Select key type (RSA, DSA, ECDSA, ED25519) and enter your private key content.
-
IPs - Select Unix IP addresses or ranges of your Azure virtual machines for this record. Credentials in this record are used to scan these assets.
Sample Windows Record
- Login Credentials - Provide OS user name and select Skip Password.
- IPs - Select Windows IP addresses/ranges of your Azure virtual machines for this record. Credentials in this record are used to scan these assets.
Learn more about OS authentication
Online help within the austhentication record workflows provides detailed instructions and guidance on all available options. These documents are good resources
Qualys Windows Authentication Guide (pdf)
Qualys Unix Authentication Guide (pdf)
Configure security groups for the Azure virtual machines to be scanned
In Azure, you must associate a security group that allows inbound access on all ports for the scanner appliance's IP address or the scanner appliance or the security group of the scanner appliance.