Hi,
We’re in the process of setting up authenticated scans on our Windows servers and we were wondering, how much of a difference does scanning with a Domain Admin vs a Local Admin? Does the Domain Admin user scan network shares if we decide to go that route?
As for Linux servers, I’m sure there’s a big difference between a standard user vs a user with sudo privileges for scans.
Thanks
Hello, I have always use a domain account that has administrative permissions.
I would not think that using a local admin would make much of a difference but would really
like to hear input on this. I do however lean heavily on the agent as a lot of our users are working from
home and scans just don’t work all the time esp. if they are not connected via a vpn.
In my experience, for Windows you need to use Domain Admin to scan you DC’s. Per R7 documentation that is supported: Authentication on Windows: best practices | InsightVM Documentation
For scanning domain controllers, you must use a domain administrator account because local administrators do not exist on domain controllers.
However, R7 documentation also say “When scanning Windows assets, we recommend that you use domain or local administrator accounts in order to get the most accurate assessment.”
In my experience this is false. When used DA on none DC the systems would have “Partial Success” and not “Success” authentication and R7 support told us that partial success is as good as success as long as you could see it authenticated on a port.
2 years l later during a IVM health Check we were shown to scroll to the bottom and look at the accuracy of the OS fingerprint. if does not = “1.0” you are not successfully authenticated.
Once changing to local admin we achieved full authentication.
I recommend getting the R7 health check as it is free and the level of these engineers is much greater than the support you receive in a ticket. 3rd company now with IVM and the health check is always beneficial!
With your linux assets if you are using chef for deploying linux assets why dont you make one local user account that can be deployed to all assets. Use that account as a standard, but can elevate with sudo to perform authenticated checks when required.
This can be accomplished via ssh public key auth.