Why Use Host Authentication?

Using host authentication (trusted scanning) allows our service to log in to each target system during scanning. For this reason we can perform in depth security assessment and get better visibility into each system's security posture. Running authenticated scans gives you the most accurate results with fewer false positives.

Good to Know

Do I have to use authentication?
For vulnerability scans, authentication is optional but recommended. For compliance scans, authentication is required.

Are my credentials safe?
Yes, credentials are exclusively used for READ access to your system. Credentials are securely handled by the service and are only used for the duration of the scan.

In most cases, we do not modify or write to the device ...
unless the user enables optional scan features Dissolvable Agent and Agentless Tracking and accepts the agreement regarding terms of use. In some cases on Unix, there may be temporary data written during a scan. Learn moreLearn more

Unix anomalies: We write temporary files to the device and remove them when the scan is finished. There can also be side effects from commands run, some of which are applications (browsers, etc).

Dissolvable Agent (Windows): When enabled, we write the dissolvable agent file to the device and remove it when the scan is finished. Learn more

Agentless Tracking (Windows, Unix): When enabled, we write a host ID file to the device at the time of the first scan. Note - the Manager primary contact for the subscription can do a cleanup action to remove the host ID file from hosts at any time. Learn more

Cleanup Issues (Windows, Unix): In rare cases, if a scan terminates before cleaning up temporary files or the dissolvable agent, the files may persist. This generally should not occur.

Authentication records

Authentication Technologies Matrix

A10 (uses Unix record) | Apache Web ServerAzure MS SQLCisco | Cisco CUCM | Checkpoint Firewall | Docker | HTTP | IBM DB2 | IBM VIOS (uses Unix record) | IBM WebSphere App Server | Infoblox | InformixDB | JBoss | Kubernetes | MariaDB | Microsoft SharePoint | MongoDB| MS Exchange Server | MS IIS | MS SQL | MySQL | Neo4jNetScaler (uses Unix record) | Network SSHNginx | Oracle | Oracle CDB/PDBs | Oracle HTTP Server | Oracle Listener | Oracle System Record Template | Oracle WebLogic Server | Palo Alto Networks Firewall | Pivotal Greenplum | PostgreSQL | SAP HANA | SAP IQ | SNMP | Sybase | Tomcat Server | Unix | Unix-based systems | vCenter | VMware ESXi | Windows

Password vaults

Arcon PAM | Azure Key | BeyondTrust PBPS | CA Access Control | CA PAM | CyberArk AIM | CyberArk PIM Suite | HashiCorp | Hitachi ID PAM | Lieberman ERPM | Quest Vault | Thycotic Secret Server | Wallix AdminBastion (WAB)

How to use vaults | Vault support matrix

 

1 - Add authentication records for your host technologies. Go to Scans > Authentication and create new records from the New menu. For each record you'll provide login credentials that our service will use to log in to each host at scan time. Each record is defined for a technology, like Windows, Unix, Oracle, etc and you can have multiple records per technology.

Did you know? For several server applications you can have authentication records created for you automatically. Learn about instance discovery and system authentication records

2 - Add authentication vaults, if applicable. We support integration with multiple third party password vaults. Go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record. At scan time, we'll authenticate to hosts using credentials retrieved from your vault.

Check the account requirementsCheck the account requirements

Be sure to review account requirements for each technology when you're defining a record. Click the Launch Help link in the record to get details.

Who can create records?Who can create records?

Managers can create records. Unit Managers and Scanners can create them when granted the "Create/edit authentication records/vaults" permission in their account settings.

Unit Managers and Scanners must also be granted  permission to create records for PC.

For vulnerability scans you must enable authentication in an option profile and then select the profile at scan time. Go to Scans > Option Profiles. Edit an option profile (or create a new one), go to the Scan section and select each type of authentication you want to use.

Want to test authentication? Select "Enable authentication testing" in your option profile. Then run a scan using this profile to identify issues with authentication credentials before running a full scan.

Before you begin be sure the IPs you want to scan are already defined in your records.

To start your scan go to Scans > New > Scan (or Scheduled Scan) and enter your scan settings.

For a vulnerability scan, make sure you select the option profile that you've enabled with authentication.

We recommend you verify that authentication was successful after your authenticated scans finish. Be sure to resolve authentication failures before the next scan.

How to verify authentication for your scans

How to run the Authentication Report

 

Use the Credentials Breakdown to quickly filter your records list to show:

- Credentials that have not been attempted in the last 30 days (Unused)

- Credentials that were successful 100% of the time (Passing)

- Credentials that were not successful for some of the hosts in the record (Problematic)

- Credentials that were not successful for more than 50% of the hosts in the record (Failing)

- Credentials stored in a password vault (In Vault)

Tip - You can also search for records by type, network, title, IP address and vault type.

Drill down into record details to see pass/fail authentication status for your scanned hosts. The Updated column shows you when each host was last scanned using authentication - this is when the status was last updated.

Pass - Authentication to the host was successful.

Fail - Authentication to the host was not successful. Please refer to the Cause column for more information like the credentials used in the authentication attempt.

Not Attempted - Authentication to the host was not used (not counted as pass or fail). Perhaps you've never scanned the host using authentication or you did but the host scan data was purged. Please note - If you're in VM, we're looking at vulnerability scan data. If you're in PC, we're looking at compliance scan data. Let's say you scanned a host in PC using authentication but you didn't scan it in VM using authentication. You'll see a Pass/Fail status in PC and Not Attempted in VM.

Use the Search option at the top of the Authentication page to quickly find authentication records by different criteria like title, network, record type, IP address, modified date, and more. 

Click Search to see the search options available, make your selections and then click Search again. You can also simply start typing in the Search field to find a search category and then provide a search value.

Click Clear Search to clear the Search field and show all records.

Search field

When searching by Modified date, please note that the search will look for records with a modified date less than the date entered. It does NOT search for records equal to the date entered. For example, if you select a Modified date of 11/10/2021, then we will return records modified before this date. We will not return records modified on this date. 

You can download any data list within the UI in order to view your configurations outside of the product. Learn more.

 

Note: In the graph displayed on the Authentication details tab, the Not Attempted count displays the remaining IP count in the authentication record for which there is no Pass/Fail authentication status. Therefore, there can be a discrepancy between the Not Attempted status count in the graph and the list on the Authentication details tab.