Azure Scan Checklist

We recommend these steps before scanning.

Check Appliance Status

Go to VM/VMDR > Scans >Appliances.

Be sure the new Scanner Appliance is connected to the Qualys Enterprise TruRisk™ Platform. The  icon means your appliance is connected and ready for scanning.

appliance-status

Configure OS Authentication

Using host OS authentication (trusted scanning) allows our service to log in to each target system during scanning. Running authenticated scans gives you the most accurate results with fewer false positives.

  1. Go to Scans > Option Profiles.
  2. Edit the profile Initial Options.
  3. Use Save As to save a copy with another name. In your new profile, enable the authentication types that you need.

    option-profile

  4. Go to Scans > Authentication.
  5. Add authentication records for the Azure virtual machines you are scanning - Unix and/or Windows.
  6. In the record, you need to add credentials for the account to be used for authentication - this is an account for the OS user (not the AIM user).

    We recommend you create a dedicated account for authentication on target systems.

    auth-records

Sample Unix Record

  1. Login Credentials - Provide OS user name and select Skip Password.

    auth-unix1

  2. Private Keys - Key authentication is recommended. Select key type (RSA, DSA, ECDSA, ED25519) and enter your private key content.

    auth-unix2

  3. IPs - Select Unix IP addresses or ranges of your Azure virtual machines for this record. Credentials in this record are used to scan these assets.

    auth-unix3

Sample Windows Record

  1. Login Credentials - Provide OS user name and select Skip Password.

    auth-win-record

  2. IPs - Select Windows IP addresses/ranges of your Azure virtual machines for this record. Credentials in this record are used to scan these assets.

    auth-win-record2

Learn more about OS authentication

Online help within the austhentication record workflows provides detailed instructions and guidance on all available options. These documents are good resources

Qualys Windows Authentication Guide (pdf)

Qualys Unix Authentication Guide (pdf)

Configure security groups for the Azure virtual machines to be scanned

In Azure, you must associate a security group that allows inbound access on all ports for the scanner appliance's IP address or the scanner appliance or the security group of the scanner appliance.