Filter
Top Products
Tools Preparing for the vulnerability scan job
FortiAnalyzer Version 3.0 MR7 Administration Guide
05-30007-0082-20080908 159
Some vulnerability scan modules, such as those that test file permissions or
check installed patch and software versions, require full access to the target host.
Vulnerability scan modules for Microsoft Windows hosts specifically require an
administrator account with access to not only the file system but also the registry.
You must configure the vulnerability scan job with the user name and password of
an administrator account to perform a full scan using all modules,.
You can provide the vulnerability scan with an administrator account by creating a
new local or domain administrator account, rather than providing an existing
administrator account. However, many Windows hosts are configured so that
accounts authenticating over the network inherit guest privileges, rather than the
administrator privileges they would normally use when logging in locally. Guest
privileges are not sufficient for all vulnerability scan modules. Change the network
access security policy for accounts to Classic: local users authenticate as
themselves to ensure that all modules have the privileges that they require to
function correctly when authenticating remotely, for the duration of the
vulnerability scan.
To configure the security policy for local accounts authenticating remotely
(Windows XP)
The following procedure describes how to modify the local security policy of a
Windows XP target host for which you have configured a local administrator
account. This procedure may vary for other versions of Windows, or for target
hosts whose security policy and user accounts are administered at the domain
level rather than locally to each host.
1 Go to Start > Run, enter mmc, and then select OK to start the Microsoft
Management Console.
2 If a security policy console file already exists, select File > Open to open the
existing console file.
If no security policy console file exists, select File > New to create a new console
file.
3 If the console root does not contain Local Computer Policy (a Group Policy Object
Editor snap-in that is stored on the local computer), you must add that snap-in.
For instructions, see the help for the Microsoft Management Console.
!
Caution: Configuration changes necessary for a full vulnerability scan can temporarily
introduce additional risks. If possible, use a firewall or other method of mitigation, such as
FortiClient, to limit which hosts can access the target host during the vulnerability scan,
allowing only connections from the FortiAnalyzer, and undo any vulnerability scan
configuration changes after the scan.
!
Caution: Use care when creating a domain or local security policy, and verify that there is
no pre-existing security policy. If you are unsure whether or not there is already an existing
security policy in effect, consult the owner of the system. Creating a new console may
overwrite any existing policy, including applying default values to settings that you have not
modified specifically for the remote vulnerability scan.