Create, update, list and delete Windows records for authenticating to Windows systems. Vulnerability and Compliance scans are supported (using VM, PC).
Download Qualys User Guide - Windows Authentication (.pdf)
|
Parameter |
Required/Optional |
Data Type |
Description |
|---|---|---|---|
|
action={action} |
Required | String |
Specify create, update, delete (using POST) or list (using GET or POST). See List Auth Records for type |
|
echo_request={0|1} |
Optional | Integer |
Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
|
ids={value} |
Required to update or delete record | Integer |
Record IDs to update/delete. Specify record IDs and/or ID ranges (for example, 1359-1407). Multiple entries are comma separated. |
|
title={value} |
Required to create record | String |
A title for the record. The title must be unique. Maximum 255 characters (ascii). |
|
comments={value} |
Optional to create or update record | String |
User defined comments. Maximum of 1999 characters. |
|
use_agentless_tracking={0|1} |
Optional to create or update record | Integer |
Specify 1 to enable Agentless Tracking. |
|
Login Credentials |
|
||
|
username={value} |
Required to create record, optional to update record | String |
The username for the Windows account to be used for authentication on target hosts. The username may include 1-31 characters (ascii). |
|
password={value} |
To create record password or login_type=vault is required | Alphanumeric |
The password of the Windows account to be used for authentication. Maximum 100 characters (ascii). |
|
login_type={basic|vault} |
To create record password or login_type=vault is required | Boolean |
Set to vault if a third party vault will be used to retrieve password. Vault parameters need to be provided in the record. |
|
windows_ad_domain={value} |
Optional | String |
The Windows Active Directory domain name for domain level authentication. When specified, we’ll use an Active Directory forest to authenticate to hosts in a certain domain within the framework. You’ll need to enter a Fully Qualified Domain Name (FQDN). See Windows Domains This parameter and the windows_domain parameter cannot be specified in the same request. This parameter and the ips parameter cannot be specified in the same request. |
|
windows_domain={value} |
Optional | String |
The Windows NetBIOS domain name for domain level authentication. See Windows Domains This parameter and the windows_ad_domain parameter cannot be specified in the same request. When the ips parameter is also specified, the domain type is NetBIOS, User-Selected IPs. We’ll use NetBIOS to authenticate to the IPs in the domain configuration. When the ips parameter is not specified, the domain type is NetBIOS, Service-Selected IPs. We’ll use NetBIOS to authenticate to hosts in the domain using credentials stored on the domain. |
|
ntlm={0|1} |
Optional | Integer |
When not specified, NTLM authentication is enabled allowing the scanning engine to try the NTLM authentication protocol when negotiating authentication to target hosts. Specify ntlm=0 if you do not want the NTLM authentication protocol attempted for the hosts defined in the Windows record. This may be the case if the target hosts are running a version of Windows that supports a more secure authentication protocol like Kerberos. When NTLM authentication is disabled, it will not be attempted even if other methods like NTLMSSP and Kerberos fail. |
|
Target Hosts |
|
||
|
ips={value} |
Optional for create record when asset_type=ips or asset_type is not specified | Integer |
When specified, the ips parameter defines an IP list for the authentication record. These are the hosts to be authenticated to with the login credentials. When not specified, the service uses the authentication credentials stored on the domain to authenticate to hosts that are members of the domain. (Optional for update request) Overwrites (replaces) the IP list for the authentication record. The IPs you specify are added and any existing IPs are removed. You may enter a combination of IPs and IP ranges. Multiple entries are comma separated. This parameter and the add_ips parameter or the remove_ips parameter cannot be specified in the same request. |
|
add_ips={value} |
Optional to update record | Integer |
IPs to be added to an existing record. Multiple IPs/ranges are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
|
remove_ips={value} |
Optional to update record | Integer |
IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
|
network_id={value} |
Optional to create or update record, and valid when the networks feature is enabled | Integer |
The network ID for the record. |
|
Target Hosts with Tag Support |
Note: Applicable only when you have Asset Tagging and Tag Support for Authentication Records enabled for your subscription. |
||
|
asset_type={ips|asset_tags|ip_range_tag_rule} |
Optional | Boolean |
Indicates how assets will be defined in the record. Valid values are ips (the default), asset_tags, ip_range_tag_rule. When not specified, we will use asset_type=ips. ips - Specify this value to assign IP addresses/ranges to the record asset_tags - Specify this value to add tags to the record for the assets you want included. IP addresses with the selected tags already assigned will be associated with the record. ip_range_tag_rule - Specify this value to add tags that have IP address ranges defined in the tag rule. All IP addresses defined in the tag rule will be associated with the record, including IPs that do not already have the tag assigned. |
|
tag_set_by={id|name} |
Optional when asset_type=asset_tags or ip_range_tag_rule | Integer |
Specify "id" (the default) to select a tag set by providing tag ids. Specify "name" to select a tag set by providing tag names. |
|
tags_include={tag1, tag2...} |
Required when asset_type=asset_tags or ip_range_tag_rule | Integer |
Specify a tag set to include in the record. Hosts that match these tags will be included. You identify the tag set by providing tag names or IDs. Multiple entries are comma-separated. To specify tag names, you must also specify tag_set_by=name. |
|
tags_exclude={tag1, tag2...} |
Optional when asset_type=asset_tags or ip_range_tag_rule | Integer |
Specify a tag set to exclude in the record. Hosts that match these tags will be excluded. You identify the tag set by providing tag names or IDs. Multiple entries are comma-separated. To specify tag names, you must also specify tag_set_by=name. |
|
tag_include_selector={any|all} |
Optional when asset_type=asset_tags or ip_range_tag_rule | Boolean |
Select "any" (the default) to include hosts that match at least one of the selected tags. Select "all" to include hosts that match all of the selected tags. |
|
tag_exclude_selector={any|all} |
Optional when asset_type=asset_tags or ip_range_tag_rule | Boolean |
Select "any" (the default) to exclude hosts that match at least one of the selected tags. Select "all" to exclude hosts that match all of the selected tags. |
|
ips={value} |
Required to create record when asset_type=ips or asset_type is not specified | Integer |
The IP address(es) the server will log into using the record’s credentials. Multiple entries are comma separated. (Optional to update record when asset_type=ips) IPs specified will overwrite existing IPs in the record, and existing IPs will be removed. This parameter and the add_ips parameter or the remove_ips parameter cannot be specified in the same request. |
|
add_ips={value} |
Optional to update record when asset_type=ips | Integer |
Add IPs and/or ranges to the IPs list for this record. Multiple IPs/ranges are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
|
remove_ips={value} |
Optional to update record when asset_type=ips | Integer |
IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. This parameter and the ips parameter cannot be specified in the same request. |
|
Protocols |
For Windows domain level authentication, all three authentication protocols are supported. Kerberos and NTLMv2 are enabled by default in new records. If NTLM was enabled in a record prior to this release, then NTLMv1 is enabled. For Windows local host level authentication, NTLMv2 and NTLMv1 protocols are supported. NTLMv2 is enabled by default in new records. If NTLM was enabled in a record prior to this release, then NTLMv1 is enabled. |
||
|
kerberos={0|1} |
Optional | Integer |
When not specified, Kerberos is enabled allowing the scanning engine to try Kerberos when negotiating authentication to target hosts. Specify kerberos=0 if you do not want Kerberos attempted. Kerberos is supported for domain authentication only. When kerberos=1 you must define a domain name for Windows Active Directory (windows_ad_domain) or NetBIOS (windows_domain) for the record. |
|
ntlmv2={0|1} |
Optional | Integer |
When not specified for a new record, NTLMv2 is enabled allowing the scanning engine to try NTLMv2 when negotiating authentication to target hosts. Specify ntlmv2=0 if you do not want NTLMv2 attempted. |
|
ntlm={0|1} |
Optional | Integer |
When not specified, NTLMv1 will not be attempted. Specify ntlm=1 to allow the scanning engine to try NTMLv1 when negotiating authentication to target hosts. |
|
SMB Signing |
SMB Signing option is disabled by default, meaning SMB signing is not required. This is the recommended setting. When disabled, we can authenticate to any Windows version regardless of how SMB signing is configured on the target. You are not protected, however, against man-in-the-middle (MITM) attacks. |
||
|
require_smb_signing={0|1} |
Optional | Integer |
Set to 0 (default) when SMB signing is not required. Set value to 1 to require SMB signing. Should I require SMB signing? The answer is No in most cases. If you enable this option in your record, we will require each Windows target to support SMB signing. If SMB signing is disabled on a target host, authentication will fail and the host will not be scanned. This option protects against MITM attacks but we won't be able to authenticate to some hosts. |
|
minimum_smb_version={value} |
Optional | Integer |
The minimum SMB protocol version. Valid values are: 1, 2.0.2, 2.1, 3.0, 3.0.2, 3.1.1, and "" (empty string means no version set) |
- Supported domain types: Active Directory, NetBIOS User-Selected IPs, NetBIOS Service-Selected IPs.
- Authentication is performed at the local host level when a domain name is not defined for Active Directory (windows_ad_domain) or NetBIOS (windows_domain).
- Once a Windows record is saved, you cannot change the domain type from Active Directory to NetBIOS or from NetBIOS to Active Directory.
API Request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With:curl" -X POST"action=create&title=API_v2_utwrx_mp_Windows&username=User&password=Password&ips=10.10.10.200" "https://<qualys_base_url>/api/2.0/fo/auth/windows/"XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2018-04-30T09:28:00Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>1310338</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>In this sample, a new Windows record is created with asset_type=asset_tags.
API Request
curl -H "X-Requested-With: curl" -u "USERNAME:PASSWORD""https://<qualys_base_url>/api/2.0/fo/auth/windows/?action=create&title=windows&username=root&asset_type=asset_tags&tags_include=ag1&tag_include_selector=all&tags_exclude=ag20&tag_set_by=name&tag_exclude_selector=all"XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM
"https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2021-03-11T00:45:31Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>204027</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API Request
curl --location --request GET'<qualys_base_url>/api/2.0/fo/auth/windows/?action=list&ids=3875495' \--header 'X-Requested-With: curl' \--header 'Authorization: Basic XXXXXXXXXX'XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE AUTH_WINDOWS_LIST_OUTPUT SYSTEM
"<qualys_base_url>/api/2.0/fo/auth/windows/dtd/auth_list_output.dtd">
<AUTH_WINDOWS_LIST_OUTPUT>
<RESPONSE>
<DATETIME>2023-12-12T14:23:38Z</DATETIME>
<AUTH_WINDOWS_LIST>
<AUTH_WINDOWS>
<ID>3875495</ID>
<TITLE>
<![CDATA[windows123]]>
</TITLE>
<USERNAME>
<![CDATA[root]]>
</USERNAME>
<NTLM_V2>1</NTLM_V2>
<IP_SET>
<IP>10.10.10.10</IP>
</IP_SET>
<LOGIN_TYPE>
<![CDATA[vault]]>
</LOGIN_TYPE>
<DIGITAL_VAULT>
<DIGITAL_VAULT_ID>
<![CDATA[1358956]]>
</DIGITAL_VAULT_ID>
<DIGITAL_VAULT_TYPE>API Request
curl --location --request POST'<qualys_base_url>/api/2.0/fo/auth/windows/?action=update&ids=3875495&login_type=vault&vault_type=Hitachi ID PAM&vault_id=1358956&resource_id=234'\--header 'X-Requested-With: curl' \--header 'Authorization: Basic XXXXXXXXXX'XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM
"<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2023-12-12T14:18:56Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Updated</TEXT>
<ID_SET>
<ID>3875495</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API Request
curl --location --request POST'<qualys_base_url>/api/2.0/fo/auth/windows/?action=create&username=root&ips=11.11.11.11&login_type=vault&vault_type=Hitachi IDPAM&vault_id=1358956&resource_id=123&title=windows123' \--header 'X-Requested-With: curl' \--header 'Authorization: Basic XXXXXXXXXX'XML Output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM
"<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2023-12-12T14:10:25Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>3875495</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>
</BATCH_RETURN>Qualys API - Windows Authentication API samples (GitHub)
<platform API server>/api/2.0/batch_return.dtd
<platform API server>/api/2.0/fo/auth/windows/auth_windows_list_output.dtd