I helped a company troubleshoot its vulnerability scans recently. They had multiple Windows domains because of their line of business. This made scans difficult, but we found some solutions. Here are some tips for authenticated scans across multiple domains.
Scanning multiple domains in a single scan can cause account lockouts if the usernames and passwords don’t all match. Three possible solutions include separating each domain into its own scan, using completely unique accounts to scan, or syncing up the accounts so they have the same username and password.
Authentication is tricky
Authentication can be tricky. My introduction to vulnerability management came with Qualys locked out the user account my SEIM used to collect logs. My advice to any vulnerability management vendor is to not get too smug about authentication. All of them get authentication wrong sometimes.
This particular company was using a Tenable tool. But these practices won’t hurt any scanning tool, and can only help. Authentication is important, so it’s good to get it right.
Separate domains into their own scans
Creating a separate target group for each domain, with its own domain authentication record and its own scan, is probably the most certain way to clear up authentication issues. Then you know what account that group of assets should be using. It can be inconvenient because it means more scans to juggle, but I’ve had to separate assets out for dumber reasons than this. I see this as being more valid than having to separate AS/400s out into separate scans with the SMB ports excluded to keep Qualys from misidentifying them as Windows machines.
Use separate usernames and passwords
Using the same username with different passwords across domains is a sure-fire way to end up locking out accounts. This is especially true with Tenable but it can be problematic in other tools as well. To save yourself some heartache, use a different username in each domain, even if it’s vmscan1, vmscan2, vmscan3, and so on.
Use the exact same username and password in each domain
The other workaround is to use the exact same username and password in each domain. That way, if the tool picks the wrong credentials, it’s still right. This situation is less than ideal if only because it keeps you from being able to integrate your scanning tool with a password vault like Cyber-Ark. But if you’re stuck and need a solution in a hurry, this is probably the fastest, easiest solution to get a scan done. Just remember, this is the bubblegum-and-duct-tape solution, not the right solution.