Configure credentialed scanning for Windows systems

You can provide credentials to a Managed Risk Scanner to allow the scanner to scan your environment with elevated permissions.

Note: To configure credentialed scanning in the Risk Dashboard, see Configure credentialed scanning for Windows systems in the Risk Dashboard.
On Windows, credentialed scans use SMB on port 139 and 445 to authenticate using a username and password.
  • Newer versions of SMB use port 445 to directly operate over TCP/IP. NetBIOS is not used.
  • Older versions of SMB use port 139 over TCP/IP. This port is used for file and printer sharing over NetBIOS.
Note:
  • If you rotate your credentials, you must reset them on the scanner as well.
  • To minimize security risks, Arctic Wolf recommends that you use these credentials for scanning only. Do not provide more permissions to these credentials or use them with systems other than the scanner.

These resources are required:

  • A valid username, which can contain these characters:
    • Any alphanumeric character
    • -
    • _
    • @
    • .
    • \
  • A user account that:
    • Has administrator access privileges.
    • Has PowerShell execution privileges.
    • If your system is not attached to a domain controller (DC), or if you are using a local administrator account on a system that is attached to a DC — Uses this registry key:
      SHELL 
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
DWORD: LocalAccountTokenFilterPolicy = 1
    • If your system is attached to a DC — Is a group domain administrator.

These actions are required:

  • Make sure that the scanner can sign into scan targets without access policy restrictions on targets.
  • Make sure that the Remote Registry service is active. The Remote Registry Service must be active so that the scanner can access the registry.
    Note: You can configure the system to automatically start the registry service at startup. If you configure the system to start the registry service manually, the service starts during credential scans by the scanner and is disabled afterwards.
  • Activate file and printer sharing on the target systems.
  • You may need to create an exception rule for the scanner in your firewall. Make sure that there are no security policies that would block the scanner from performing credential checks.
  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Scanners.
  3. Find the scanner to view, and then click View Scanner.
  4. Click the Credentialed Scanning tab.
  5. Do one of these options:
    • If you are adding new scan credentials — Click Create New Scan Credentials.
    • If you are updating existing scan credentials — Next to the existing credentials, click Edit.
  6. Configure these settings:
    • Name — Enter a name for the credential.
      Note: This name cannot be the same as another credential.
    • Description — (Optional) Enter a description for the credential.
    • Add Targets — Enter the IP addresses of the target hosts in a comma-separated list.
      Tip: This field accepts these formats:

      • To specify a range of IP addresses, use a dash (-). For example, 10.0.0.1-3 expands to 10.0.0.1, 10.0.0.2, 10.0.0.3.

      • To specify a CIDR block, use this format: X.X.X.X/Y. For example, 10.0.0.0/24.

      Note: These IP addresses cannot overlap with the targets of another scan credential.
  7. In the Type list, select Username/Password, and then enter the Username and Password.
  8. Do one of these actions:
    • To create new scan credentials — Click Create Credentialed Scanning.
    • To update existing scan credentials — Beside the existing credentials, click Update Credentialed Scanning.