In vulnerability scanning, there’s a big difference in an authenticated scan vs unauthenticated. Here’s why it matters, and why you should almost always go for an authenticated scan. Using authenticated scans is a vulnerability management best practice.
Lots of people misunderstand this. To quote myself about fifteen years ago: “Let me get this straight. I give you an admin account, and then you tell me you were able to log in?” It’s about logging in and assessing what’s wrong, not telling you we got in. Regardless of the tool you use, authenticated scans let the vulnerability scanner do its job better.
Authenticated scan vs unauthenticated: Better accuracy
When you scan without authentication, the vulnerability scanner probes the system. It’s able to tell you a surprising amount, but not everything. It can tell you the broad OS family the system belongs to and it can tell the difference between NT4 and XP and Vista or newer systems. It will probably find a good number of vulnerabilities but it may have to flag them as potential, indicating it’s not 100% certain about it.
Authenticated scans prove your patch management program is doing its job, and provides the data that patch management teams need in order to improve their processes going forward.
Authenticated scan vs unauthenticated: Better advice
When you scan with authentication, your scanner examines files rather than fuzzing services. So it can give very specific advice, such as a system being vulnerable to a specific vulnerability based on this particular file being this version.
It is possible to configure services to lie about their version numbers. Some services, like Oracle Weblogic, report only major version numbers and not the minor version. To accurately report what these services are running, it’s necessary to look at the filesystem. One of the reasons I like Qualys and Tenable solutions is that they look at the filesystem rather thoroughly to really try to report accurate results, even in the case of anomalies. Qualys claims better than 99.999% accuracy when you use authenticated scans. In my experience scanning networks with tens of thousands of hosts, that’s been about right.
Using an authenticated scan vs unauthenticated not only reduces false positives, but it also reduces false negatives. We don’t know the details of the Equifax breach of 2017, but one of the accusations that flew around in the aftermath was the possibility of a false negative.
Authenticated scan vs unauthenticated: Lower impact
An authenticated scan usually has less impact on a system than an unauthenticated scan. Some services don’t like being probed, and an authenticated scan eliminates the need to probe the service. The vulnerability scanner can just log in, ask the operating system what’s installed, what’s running, and where. Then it can check a few files to validate, then move on to the next system.
The authenticated scan may or may not be faster, but it has less impact on the system and the network.